2015-10-08 This release contains a variety of fixes from 9.0.22. For information about new features in the 9.0 major release, see . This is expected to be the last PostgreSQL release in the 9.0.X series. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.18, see . Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier) A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction. Fix insertion of relations into the relation cache init file (Tom Lane) An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious. Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway) Improve LISTEN startup time when there are many unread notifications (Matt Newell) Disable SSL renegotiation by default (Michael Paquier, Andres Freund) While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled). Lower the minimum values of the *_freeze_max_age parameters (Andres Freund) This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space. Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch) Fix handling of DOW and DOY in datetime input (Greg Stark) These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than invalid input syntax. Add more query-cancel checks to regular expression matching (Tom Lane) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane) Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes. Fix potential infinite loop in regular expression execution (Tom Lane) A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop. Fix low-memory failures in regular expression compilation (Andreas Seltenreich) Fix low-probability memory leak during regular expression execution (Tom Lane) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane) Fix unexpected out-of-memory situation during sort errors when using tuplestores with small work_mem settings (Tom Lane) Fix very-low-probability stack overrun in qsort (Tom Lane) Fix invalid memory alloc request size failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane) Fix assorted planner bugs (Tom Lane) These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as could not devise a query plan for the given query, could not find pathkey item to sort, plan should not reference subplan's variable, or failed to assign all NestLoopParams to plan nodes. Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems. Use fuzzy path cost tiebreaking rule in all supported branches (Tom Lane) This change is meant to avoid platform-specific behavior when alternative plan choices have effectively-identical estimated costs. During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane) This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns. Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane) If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop. Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas) Such a page might be left behind after a crash. Fix off-by-one error that led to otherwise-harmless warnings about apparent wraparound in subtrans/multixact truncation (Thomas Munro) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane) Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera) Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier) Fix psql's code for locale-aware formatting of numeric output (Tom Lane) The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type. Prevent crash in psql's \c command when there is no current connection (Noah Misch) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane) When dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases. Fix pg_dump to dump shell types (Tom Lane) Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them. Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane) Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common. On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch) Perl relies on this ability in 5.8.0 and later. Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch) Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies. 2015-06-12 This release contains a small number of fixes from 9.0.21. For information about new features in the 9.0 major release, see . The PostgreSQL community will stop releasing updates for the 9.0.X release series in September 2015. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.18, see . Fix rare failure to invalidate relation cache init file (Tom Lane) With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the init file that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently. Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane) A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that. 2015-06-04 This release contains a small number of fixes from 9.0.20. For information about new features in the 9.0 major release, see . The PostgreSQL community will stop releasing updates for the 9.0.X release series in September 2015. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.18, see . Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane) In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing. Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane) The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions. Allow libpq to use TLS protocol versions beyond v1 (Noah Misch) For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0. 2015-05-22 This release contains a variety of fixes from 9.0.19. For information about new features in the 9.0 major release, see . The PostgreSQL community will stop releasing updates for the 9.0.X release series in September 2015. Users are encouraged to update to a newer release branch soon. A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.18, see . Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) Improve detection of system-call failures (Noah Misch) Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane) If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted. Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane) This oversight in the planner has been observed to cause could not find RelOptInfo for given relids errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output. Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane) Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row. Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane) This oversight has been seen to lead to failed to join all relations together errors in queries involving LATERAL, and that might happen in other cases as well. Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas) Avoid cannot GetMultiXactIdMembers() during recovery error (Álvaro Herrera) Recursively fsync() the data directory after a crash (Abhijit Menon-Sen, Robert Haas) This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Álvaro Herrera) Cope with unexpected signals in LockBufferForCleanup() (Andres Freund) This oversight could result in spurious errors about multiple backends attempting to wait for pincount 1. Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund) Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well. Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane) Check for interrupts while analyzing index expressions (Jeff Janes) ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes. Add the name of the target server to object description strings for foreign-server user mappings (Álvaro Herrera) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost) Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5. Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane) This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.) While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas) When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready. Fix array handling in ecpg (Michael Meskes) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Álvaro Herrera) This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable. Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane) This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline. Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian) This change prevents upgrade failures caused by bogus complaints about missing WAL history files. In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian) This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases. Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem) Fix slow sorting algorithm in contrib/intarray (Tom Lane) Fix compile failure on Sparc V8 machines (Rob Rowan) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT). 2015-02-05 This release contains a variety of fixes from 9.0.18. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.18, see . Fix buffer overruns in to_char() (Bruce Momjian) When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241) Fix buffer overrun in replacement *printf() functions (Tom Lane) PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch) Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas) If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244) Fix information leak via constraint-violation error messages (Stephen Frost) Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161) Lock down regression testing's temporary installations on Windows (Noah Misch) Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067) Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier) If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be. Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane) In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug. Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi) In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition. Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane) In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table. Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley) This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors. Fix bugs in raising a numeric value to a large integral power (Tom Lane) The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow. In numeric_recv(), truncate away any fractional digits that would be hidden according to the value's dscale field (Tom Lane) A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such hidden digits on receipt, so that the value is indeed what it prints as. Reject out-of-range numeric timezone specifications (Tom Lane) Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them. Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas) Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms. Improve ispell dictionary's defenses against bad affix files (Tom Lane) Allow more than 64K phrases in a thesaurus dictionary (David Boutin) The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition. Fix namespace handling in xpath() (Ali Akbar) Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation. Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Álvaro Herrera) The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity. Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane) Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work. Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas) This mistake could result in transient errors in queries being executed in hot standby. Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas) The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit. Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao) Change pgstat wait timeout warning message to be LOG level, and rephrase it to be more understandable (Tom Lane) This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads using stale statistics instead of current ones because stats collector is not responding. Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund) Warn if macOS's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch) Fix processing of repeated dbname parameters in PQconnectdbParams() (Alex Shulgin) Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded. Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane) Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket. Clear any old error message during PQreset() (Heikki Linnakangas) If PQreset() is called repeatedly, and the connection cannot be re-established, error messages from the failed connection attempts kept accumulating in the PGconn's error string. Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas) Fix array overrun in ecpg's version of ParseDateTime() (Michael Paquier) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane) When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate. This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved. Improve consistency of parsing of psql's special variables (Tom Lane) Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors. Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia) Fix block number checking in contrib/pageinspect's get_raw_page() (Tom Lane) The incorrect checking logic could prevent access to some pages in non-main relation forks. Fix contrib/pgcrypto's pgp_sym_decrypt() to not fail on messages whose length is 6 less than a power of 2 (Marko Tiikkaja) Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier) connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further. Avoid a possible crash in contrib/xml2's xslt_process() (Mark Simonetti) libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash. Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier) These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues. Detect incompatible OpenLDAP versions during build (Noah Misch) With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test. In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane) This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations. Support time zone abbreviations that change UTC offset from time to time (Tom Lane) Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date. Update time zone abbreviations lists (Tom Lane) Add CST (China Standard Time) to our lists. Remove references to ADT as Arabia Daylight Time, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with Atlantic Daylight Time doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line. Update time zone data files to tzdata release 2015a. The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our Default timezone abbreviation set. The Australia abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the Default abbreviation set. Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data. 2014-07-24 This release contains a variety of fixes from 9.0.17. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so. Also, if you are upgrading from a version earlier than 9.0.15, see . Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas) This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages (Heikki Linnakangas) This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk. Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas) This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby. Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley) This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Fix failure to detoast fields in composite elements of structured types (Tom Lane) This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like missing chunk number 0 for toast value ... when the now-dangling pointer is used. Fix record type has not been registered failures with whole-row references to the output of Append plan nodes (Tom Lane) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark) Fix data encoding error in hungarian.stop (Tom Lane) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund) This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund) After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time. Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera) Block signals during postmaster startup (Tom Lane) This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections. A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary. Fix tablespace creation WAL replay to work on Windows (MauMau) Fix detection of socket creation failures on Windows (Bruce Momjian) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as ) from the configuration file (Amit Kapila) Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows (Nikhil Deshpande) This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Fix linking of libpython on macOS (Tom Lane) The method we previously used can fail with the Python library supplied by Xcode 5.0 and later. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane) libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as lost synchronization with server). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints. Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat) Fix pg_restore's processing of old-style large object comments (Tom Lane) A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane) This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that. Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco. 2014-03-20 This release contains a variety of fixes from 9.0.16. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.15, see . Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas) Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector. Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja) This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient. Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane) This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time. Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski) This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it. Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed) This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables. Improve performance of index endpoint probes during planning (Tom Lane) This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers. Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas) Prevent interrupts while reporting non-ERROR messages (Tom Lane) This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems. Prevent intermittent could not reserve shared memory region failures on recent Windows versions (MauMau) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine. 2014-02-20 This release contains a variety of fixes from 9.0.15. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.15, see . Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane) The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant bloat of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master. Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas) In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as PANIC: WAL contains references to invalid pages were also possible. Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane) This error could result in PANIC: WAL contains references to invalid pages failures. Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas) The previous coding risked index corruption in the event of a partial-page write during a system crash. Fix race conditions during server process exit (Robert Haas) Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid. Fix unsafe references to errno within error reporting logic (Christian Kruse) This would typically lead to odd behaviors such as missing or inappropriate HINT fields. Fix possible crashes from using ereport() too early during server startup (Tom Lane) The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read. Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin) This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection. Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane) A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping. Allow keywords that are type names to be used in lists of roles (Stephen Frost) A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE. Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane) Ensure that ANALYZE creates statistics for a table column even when all the values in it are too wide (Tom Lane) ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide. In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost) CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo. Fix cannot accept a set error when some arms of a CASE return a set and others don't (Tom Lane) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane) Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well. Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas) Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky. Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii) Fix misbehavior of PQhost() on Windows (Fujii Masao) It should return localhost if no host has been specified. Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane) In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications. Fix misaligned descriptors in ecpg (MauMau) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes) Fix performance regression in contrib/dblink connection startup (Joe Conway) Avoid an unnecessary round trip when client and server encodings match. In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho) Ensure client-code-only installation procedure works as documented (Peter Eisentraut) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan) This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL. Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane) These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that. Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba. In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice. 2013-12-05 This release contains a variety of fixes from 9.0.14. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, this release corrects a number of potential data corruption issues. See the first two changelog entries below to find out whether your installation has been affected and what steps you can take if so. Also, if you are upgrading from a version earlier than 9.0.13, see . Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund) In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas) This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. Truncate pg_multixact contents during WAL replay (Andres Freund) This avoids ever-increasing disk space consumption in standby servers. Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas) This could lead to transient wrong answers or query failures. Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane) This avoids unexpected results due to extra evaluations of the volatile function. Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane) This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax. Fix premature deletion of temporary files (Andres Freund) Fix possible read past end of memory in rule printing (Peter Eisentraut) Fix array slicing of int2vector and oidvector values (Tom Lane) Expressions of this kind are now implicitly promoted to regular int2 or oid arrays. Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane) In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone. Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane) This fix applies only to Windows. Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner) Previously, the generated script would fail during restore. Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia. 2013-10-10 This release contains a variety of fixes from 9.0.13. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.13, see . Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan) PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding. Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai) Fix memory leak caused by lo_open() failure (Heikki Linnakangas) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost) Fix deadlock bug in libpq when using SSL (Stephen Frost) Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth) Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs. Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane) Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results. Fix rare case of failed to locate grouping columns planner failure (Tom Lane) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane) Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund) This fixes a parallel pg_restore failure. Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch) REINDEX INDEX has always worked properly. Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane) Fix regexp_matches() handling of zero-length matches (Jeevan Chalke) Previously, zero-length matches like '^' could return too many matches. Fix crash for overly-complex regular expressions (Heikki Linnakangas) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane) Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane) Loosen restriction on keywords used in queries (Tom Lane) Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted. Fix pgp_pub_decrypt() so it works for secret keys with passwords (Marko Kreen) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas) Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane) Ensure that floating-point data input accepts standard spellings of infinity on all platforms (Tom Lane) The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity. Make sure we recognize these even if the platform's strtod function doesn't. Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island. 2013-04-04 This release contains a variety of fixes from 9.0.12. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below. Also, if you are upgrading from a version earlier than 9.0.6, see . Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi) A connection request containing a database name that begins with - could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. (CVE-2013-1899) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen) This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900) Fix GiST indexes to not use fuzzy geometric comparisons when it's not appropriate to do so (Alexander Korotkov) The core geometric types perform comparisons using fuzzy equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same. Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update. Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update. Fix gist_point_consistent to handle fuzziness consistently (Alexander Korotkov) Index scans on GiST indexes on point columns would sometimes yield results different from a sequential scan, because gist_point_consistent disagreed with the underlying operator code about whether to do comparisons exactly or fuzzily. Fix buffer leak in WAL replay (Heikki Linnakangas) This bug could result in incorrect local pin count errors during replay, making recovery impossible. Fix race condition in DELETE RETURNING (Tom Lane) Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash. Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter) Fix potential null-pointer dereference in regular expression compilation (Tom Lane) Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane) This fixes misbehavior of some template patterns that should be locale-independent, but mishandled I and i in Turkish locales. Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane) Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane) The session wound up not listening for notify events at all, though it surely should listen in this case. Remove useless picksplit doesn't support secondary split log messages (Josh Hansen, Tom Lane) This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it. Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane) Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane) Fix pg_dumpall to handle database names containing = correctly (Heikki Linnakangas) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas) Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian) Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing. Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane) Previously it returned NaN due to internal division by zero. Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places. Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list. 2013-02-07 This release contains a variety of fixes from 9.0.11. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.6, see . Prevent execution of enum_recv from SQL (Tom Lane) The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. (CVE-2013-0255) Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund) Update minimum recovery point when truncating a relation file (Heikki Linnakangas) Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline. Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs) The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data. Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane) Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck) Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives. Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane) CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries. Prevent DROP OWNED from trying to drop whole databases or tablespaces (Álvaro Herrera) For safety, ownership of these objects must be reassigned, not dropped. Fix error in vacuum_freeze_table_age implementation (Andres Freund) In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead. Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane) This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES. Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis) Reject out-of-range dates in to_date() (Hitoshi Harada) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch) This bug affected psql and some other client programs. Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong) Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian) Fix one-byte buffer overrun in libpq's PQprintTuples (Xi Wang) This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code. Make ecpglib use translated messages properly (Chen Huajun) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing) Include our version of isinf() in libecpg if it's not provided by the system (Jiang Guiqing) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg) Ensure Windows build number increases over time (Magnus Hagander) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi) Add new timezone abbreviation FET (Tom Lane) This is now used in some eastern-European time zones. 2012-12-06 This release contains a variety of fixes from 9.0.10. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.6, see . Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane) Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes. Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index. Fix buffer locking during WAL replay (Tom Lane) The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures. Fix an error in WAL generation logic for GIN indexes (Tom Lane) This could result in index corruption, if a torn-page failure occurred. Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs) This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY. Avoid bogus out-of-sequence timeline ID errors in standby mode (Heikki Linnakangas) Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane) This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action. Avoid corruption of internal hash tables when out of memory (Hitoshi Harada) Fix planning of non-strict equivalence clauses above outer joins (Tom Lane) The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane) This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved. Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund) In very unusual circumstances, this oversight could result in passing incorrect data to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger. Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee) This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later. Fix REASSIGN OWNED to handle grants on tablespaces (Álvaro Herrera) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane) Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views. Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane) Fix possible access past end of string in date parsing (Hitoshi Harada) Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund) While this mistake had no particular impact on PostgreSQL itself, it was bad for applications that rely on txid_current() and related functions: the TXID value would appear to go backwards. Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan) Formerly, this would result in something quite unhelpful, such as Non-recoverable failure in name resolution. Fix memory leaks when sending composite column values to the client (Tom Lane) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas) Fix race conditions and possible file descriptor leakage. Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing) Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane) The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode. Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane) The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out. Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane) This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory. Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly (Tom Lane) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama) Fix ecpg's ecpg_get_data function to handle arrays properly (Michael Meskes) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane) Fix pgxs support for building loadable modules on AIX (Tom Lane) Building modules outside the original source tree didn't work on AIX. Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil. 2012-09-24 This release contains a variety of fixes from 9.0.9. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.6, see . Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane) These errors could result in wrong answers from queries that scan the same WITH subquery multiple times. Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane) Multi-column GiST indexes might suffer unexpected bloat due to this error. Fix cascading privilege revoke to stop if privileges are still held (Tom Lane) If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to. Improve error messages for Hot Standby misconfiguration errors (Gurjeet Singh) Fix handling of SIGFPE when PL/Perl is in use (Andres Freund) Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl. Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane) Work around possible misoptimization in PL/Perl (Tom Lane) Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error. Fix pg_upgrade's handling of line endings on Windows (Andrew Dunstan) Previously, pg_upgrade might add or remove carriage returns in places such as function bodies. On Windows, make pg_upgrade use backslash path separators in the scripts it emits (Andrew Dunstan) Update time zone data files to tzdata release 2012f for DST law changes in Fiji 2012-08-17 This release contains a variety of fixes from 9.0.8. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.6, see . Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane) xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489) Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut) libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent too-early recycling of btree index pages (Noah Misch) When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed. Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane) If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step. Fix txid_current() to report the correct epoch when not in hot standby (Heikki Linnakangas) This fixes a regression introduced in the previous minor release. Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund) This mistake led to failures reported as out-of-order XID insertion in KnownAssignedXids. Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr) Fix timeout handling in walsender processes (Tom Lane) WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen. Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas) This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch. Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane) After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like Could not read from file "pg_notify/nnnn" at offset nnnnn: Success. Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane) The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period. Improve logging of autovacuum cancels (Robert Haas) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane) Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane) This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch. Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane) Fix extraction of common prefixes from regular expressions (Tom Lane) The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns. Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane) Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski) This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error. Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski) Report errors properly in contrib/xml2's xslt_process() (Tom Lane) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau 2012-06-04 This release contains a variety of fixes from 9.0.7. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.6, see . Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer) If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane) Applying such attributes to a call handler could crash the server. (CVE-2012-2655) Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane) Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload. Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane) This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions. Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter) Fix memory copying bug in to_tsquery() (Heikki Linnakangas) Ensure txid_current() reports the correct epoch when executed in hot standby (Simon Riggs) Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane) This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with ERROR: Upper-level PlaceHolderVar found where not expected. But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should. Fix slow session startup when pg_attribute is very large (Tom Lane) If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once. Ensure sequential scans check for query cancel reasonably often (Merlin Moncure) A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile. Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning (Tom Lane) This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences. Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane) Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast. Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane) A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4. Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas) Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes. Fix logging collector to not lose log coherency under high load (Andrew Dunstan) The collector previously could fail to reassemble large messages if it got too busy. Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane) Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane) Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane) Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane) pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences. Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace (Bruce Momjian) In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure (Peter Eisentraut) Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error (Tom Lane) Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi) Fix contrib/vacuumlo to use multiple transactions when dropping many large objects (Tim Lewis, Robert Haas, Tom Lane) This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option. Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada. 2012-02-27 This release contains a variety of fixes from 9.0.6. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.6, see . Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas) This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas) Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) Convert newlines to spaces in names written in pg_dump comments (Robert Haas) pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane) An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as could not read block N in file ...) or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. Fix transient zeroing of shared buffers during WAL replay (Tom Lane) The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be invalid memory alloc request size. Fix postmaster to attempt restart after a hot-standby crash (Tom Lane) A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode. Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows (Tom Lane) This oversight could lead to duplicate key value violates unique constraint errors being reported against the toast table's index during one of these commands. Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane) Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. Support foreign data wrappers and foreign servers in REASSIGN OWNED (Alvaro Herrera) This command failed with unexpected classid errors if it needed to change the ownership of any such objects. Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas) Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. Avoid crashing when we have problems deleting table files post-commit (Tom Lane) Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. Recover from errors occurring during WAL replay of DROP TABLESPACE (Tom Lane) Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space. Fix race condition in logging AccessExclusiveLocks for hot standby (Simon Riggs) Sometimes a lock would be logged as being held by transaction zero. This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems. Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane) Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. Prevent emitting misleading consistent recovery state reached log message at the beginning of crash recovery (Heikki Linnakangas) Fix initial value of pg_stat_replication.replay_location (Fujii Masao) Previously, the value shown would be wrong until at least one WAL record had been replayed. Fix regular expression back-references with * attached (Tom Lane) Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas) A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column. Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane) In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. Avoid double close of file handle in syslogger on Windows (MauMau) Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows. Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane) Certain operations would leak memory until the end of the current function. Improve pg_dump's handling of inherited table columns (Tom Lane) pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane) Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. Allow pg_upgrade to process tables containing regclass columns (Bruce Momjian) Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction. Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file (Magnus Hagander) This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null. Fix some more field alignment issues in ecpg's SQLDA area (Zoltan Boszormenyi) Allow AT option in ecpg DEALLOCATE statements (Michael Meskes) The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. Do not use the variable name when defining a varchar structure in ecpg (Michael Meskes) Fix contrib/auto_explain's JSON output mode to produce valid JSON (Andrew Dunstan) The output used brackets at the top level, when it should have used braces. Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge) If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv() (Marko Kreen) These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot) The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad. Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt) This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan) This prevents assorted scenarios wherein recent versions of gcc will produce creative results. Allow use of threaded Python on FreeBSD (Chris Rees) Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. 2011-12-05 This release contains a variety of fixes from 9.0.5. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below. Also, if you are upgrading from a version earlier than 9.0.4, see . Fix bugs in information_schema.referential_constraints view (Tom Lane) This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed. Fix possible crash during UPDATE or DELETE that joins to the output of a scalar-returning function (Tom Lane) A crash could only occur if the target row had been concurrently updated, so this problem surfaced only intermittently. Fix incorrect replay of WAL records for GIN index updates (Tom Lane) This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however. Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane) If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug. Fix possible failures during hot standby startup (Simon Riggs) Start hot standby faster when initial snapshot is incomplete (Simon Riggs) Fix race condition during toast table access from stale syscache entries (Tom Lane) The typical symptom was transient errors like missing chunk number 0 for toast value NNNNN in pg_toast_2619, where the cited toast table would always belong to a system catalog. Track dependencies of functions on items used in parameter default expressions (Tom Lane) Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended. Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane) Don't trust deferred-unique indexes for join removal (Tom Lane and Marti Raudsepp) A deferred uniqueness constraint might not hold intra-transaction, so assuming that it does could give incorrect query results. Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not (Heikki Linnakangas) This change affects no core code, but might prevent crashes in add-on code that expects DatumGetInetP() to produce an unpacked datum as per usual convention. Improve locale support in money type's input and output (Tom Lane) Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read. Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas) transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE. Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane) For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention RI_ConstraintTrigger_NNNN. A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order. Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews) While harmless in itself, on certain platforms this would result in annoying kernel log messages. Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane) Formerly, these would not be displayed correctly in the pg_settings view. Fix incorrect field alignment in ecpg's SQLDA area (Zoltan Boszormenyi) Preserve blank lines within commands in psql's command history (Robert Haas) The former behavior could cause problems if an empty line was removed from within a string literal, for example. Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane) Assorted fixes for pg_upgrade (Bruce Momjian) Handle exclusion constraints correctly, avoid failures on Windows, don't complain about mismatched toast table names in 8.4 databases. Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker) Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane) Some functions incorrectly assumed that memory returned by palloc() is guaranteed zeroed. Fix assorted errors in contrib/unaccent's configuration file parsing (Tom Lane) Honor query cancel interrupts promptly in pgstatindex() (Robert Haas) Fix incorrect quoting of log file name in macOS start script (Sidar Lopez) Ensure VPATH builds properly install all server header files (Peter Eisentraut) Shorten file names reported in verbose error messages (Peter Eisentraut) Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name. Fix interpretation of Windows timezone names for Central America (Tom Lane) Map Central America Standard Time to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America. Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa. 2011-09-26 This release contains a variety of fixes from 9.0.4. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if you are upgrading from a version earlier than 9.0.4, see . Fix catalog cache invalidation after a VACUUM FULL or CLUSTER on a system catalog (Tom Lane) In some cases the relocation of a system catalog row to another place would not be recognized by concurrent server processes, allowing catalog corruption to occur if they then tried to update that row. The worst-case outcome could be as bad as complete loss of a table. Fix incorrect order of operations during sinval reset processing, and ensure that TOAST OIDs are preserved in system catalogs (Tom Lane) These mistakes could lead to transient failures after a VACUUM FULL or CLUSTER on a system catalog. Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane) These bugs could result in index corruption after reindexing a system catalog. They are not believed to affect user indexes. Fix multiple bugs in GiST index page split processing (Heikki Linnakangas) The probability of occurrence was low, but these could lead to index corruption. Fix possible buffer overrun in tsvector_concat() (Tom Lane) The function could underestimate the amount of memory needed for its result, leading to server crashes. Fix crash in xml_recv when processing a standalone parameter (Tom Lane) Make pg_options_to_table return NULL for an option with no value (Tom Lane) Previously such cases would result in a server crash. Avoid possibly accessing off the end of memory in ANALYZE and in SJIS-2004 encoding conversion (Noah Misch) This fixes some very-low-probability server crash scenarios. Protect pg_stat_reset_shared() against NULL input (Magnus Hagander) Fix possible failure when a recovery conflict deadlock is detected within a sub-transaction (Tom Lane) Avoid spurious conflicts while recycling btree index pages during hot standby (Noah Misch, Simon Riggs) Shut down WAL receiver if it's still running at end of recovery (Heikki Linnakangas) The postmaster formerly panicked in this situation, but it's actually a legitimate case. Fix race condition in relcache init file invalidation (Tom Lane) There was a window wherein a new backend process could read a stale init file but miss the inval messages that would tell it the data is stale. The result would be bizarre failures in catalog accesses, typically could not read block 0 in file ... later during startup. Fix memory leak at end of a GiST index scan (Tom Lane) Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak. Fix memory leak when encoding conversion has to be done on incoming command strings and LISTEN is active (Tom Lane) Fix incorrect memory accounting (leading to possible memory bloat) in tuplestores supporting holdable cursors and plpgsql's RETURN NEXT command (Tom Lane) Fix trigger WHEN conditions when both BEFORE and AFTER triggers exist (Tom Lane) Evaluation of WHEN conditions for AFTER ROW UPDATE triggers could crash if there had been a BEFORE ROW trigger fired for the same update. Fix performance problem when constructing a large, lossy bitmap (Tom Lane) Fix join selectivity estimation for unique columns (Tom Lane) This fixes an erroneous planner heuristic that could lead to poor estimates of the result size of a join. Fix nested PlaceHolderVar expressions that appear only in sub-select target lists (Tom Lane) This mistake could result in outputs of an outer join incorrectly appearing as NULL. Allow the planner to assume that empty parent tables really are empty (Tom Lane) Normally an empty table is assumed to have a certain minimum size for planning purposes; but this heuristic seems to do more harm than good for the parent table of an inheritance hierarchy, which often is permanently empty. Allow nested EXISTS queries to be optimized properly (Tom Lane) Fix array- and path-creating functions to ensure padding bytes are zeroes (Tom Lane) This avoids some situations where the planner will think that semantically-equal constants are not equal, resulting in poor optimization. Fix EXPLAIN to handle gating Result nodes within inner-indexscan subplans (Tom Lane) The usual symptom of this oversight was bogus varno errors. Fix btree preprocessing of indexedcol IS NULL conditions (Dean Rasheed) Such a condition is unsatisfiable if combined with any other type of btree-indexable condition on the same index column. The case was handled incorrectly in 9.0.0 and later, leading to query output where there should be none. Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane) This could lead to loss of committed transactions after a server crash. Fix dump bug for VALUES in a view (Tom Lane) Disallow SELECT FOR UPDATE/SHARE on sequences (Tom Lane) This operation doesn't work as expected and can lead to failures. Fix VACUUM so that it always updates pg_class.reltuples/relpages (Tom Lane) This fixes some scenarios where autovacuum could make increasingly poor decisions about when to vacuum tables. Defend against integer overflow when computing size of a hash table (Tom Lane) Fix cases where CLUSTER might attempt to access already-removed TOAST data (Tom Lane) Fix premature timeout failures during initial authentication transaction (Tom Lane) Fix portability bugs in use of credentials control messages for peer authentication (Tom Lane) Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari, Magnus Hagander) The typical symptom of this problem was The function requested is not supported errors during SSPI login. Fix failure when adding a new variable of a custom variable class to postgresql.conf (Tom Lane) Throw an error if pg_hba.conf contains hostssl but SSL is disabled (Tom Lane) This was concluded to be more user-friendly than the previous behavior of silently ignoring such lines. Fix failure when DROP OWNED BY attempts to remove default privileges on sequences (Shigeru Hanada) Fix typo in pg_srand48 seed initialization (Andres Freund) This led to failure to use all bits of the provided seed. This function is not used on most platforms (only those without srandom), and the potential security exposure from a less-random-than-expected seed seems minimal in any case. Avoid integer overflow when the sum of LIMIT and OFFSET values exceeds 2^63 (Heikki Linnakangas) Add overflow checks to int4 and int8 versions of generate_series() (Robert Haas) Fix trailing-zero removal in to_char() (Marti Raudsepp) In a format with FM and no digit positions after the decimal point, zeroes to the left of the decimal point could be removed incorrectly. Fix pg_size_pretty() to avoid overflow for inputs close to 2^63 (Tom Lane) Weaken plpgsql's check for typmod matching in record values (Tom Lane) An overly enthusiastic check could lead to discarding length modifiers that should have been kept. Correctly handle quotes in locale names during initdb (Heikki Linnakangas) The case can arise with some Windows locales, such as People's Republic of China. In pg_upgrade, avoid dumping orphaned temporary tables (Bruce Momjian) This prevents situations wherein table OID assignments could get out of sync between old and new installations. Fix pg_upgrade to preserve toast tables' relfrozenxids during an upgrade from 8.3 (Bruce Momjian) Failure to do this could lead to pg_clog files being removed too soon after the upgrade. In pg_upgrade, fix the -l (log) option to work on Windows (Bruce Momjian) In pg_ctl, support silent mode for service registrations on Windows (MauMau) Fix psql's counting of script file line numbers during COPY from a different file (Tom Lane) Fix pg_restore's direct-to-database mode for standard_conforming_strings (Tom Lane) pg_restore could emit incorrect commands when restoring directly to a database server from an archive file that had been made with standard_conforming_strings set to on. Be more user-friendly about unsupported cases for parallel pg_restore (Tom Lane) This change ensures that such cases are detected and reported before any restore actions have been taken. Fix write-past-buffer-end and memory leak in libpq's LDAP service lookup code (Albe Laurenz) In libpq, avoid failures when using nonblocking I/O and an SSL connection (Martin Pihlak, Tom Lane) Improve libpq's handling of failures during connection startup (Tom Lane) In particular, the response to a server report of fork() failure during SSL connection startup is now saner. Improve libpq's error reporting for SSL failures (Tom Lane) Fix PQsetvalue() to avoid possible crash when adding a new tuple to a PGresult originally obtained from a server query (Andrew Chernow) Make ecpglib write double values with 15 digits precision (Akira Kurosawa) In ecpglib, be sure LC_NUMERIC setting is restored after an error (Michael Meskes) Apply upstream fix for blowfish signed-character bug (CVE-2011-2483) (Tom Lane) contrib/pg_crypto's blowfish encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be. Fix memory leak in contrib/seg (Heikki Linnakangas) Fix pgstatindex() to give consistent results for empty indexes (Tom Lane) Allow building with perl 5.14 (Alex Hunsaker) Fix assorted issues with build and install file paths containing spaces (Tom Lane) Update time zone data files to tzdata release 2011i for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan. 2011-04-18 This release contains a variety of fixes from 9.0.3. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. However, if your installation was upgraded from a previous major release by running pg_upgrade, you should take action to prevent possible data loss due to a now-fixed bug in pg_upgrade. The recommended solution is to run VACUUM FREEZE on all TOAST tables. More information is available at http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix. Fix pg_upgrade's handling of TOAST tables (Bruce Momjian) The pg_class.relfrozenxid value for TOAST tables was not correctly copied into the new installation during pg_upgrade. This could later result in pg_clog files being discarded while they were still needed to validate tuples in the TOAST tables, leading to could not access status of transaction failures. This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade. Suppress incorrect PD_ALL_VISIBLE flag was incorrectly set warning (Heikki Linnakangas) VACUUM would sometimes issue this warning in cases that are actually valid. Use better SQLSTATE error codes for hot standby conflict cases (Tatsuo Ishii and Simon Riggs) All retryable conflict errors now have an error code that indicates that a retry is possible. Also, session closure due to the database being dropped on the master is now reported as ERRCODE_DATABASE_DROPPED, rather than ERRCODE_ADMIN_SHUTDOWN, so that connection poolers can handle the situation correctly. Prevent intermittent hang in interactions of startup process with bgwriter process (Simon Riggs) This affected recovery in non-hot-standby cases. Disallow including a composite type in itself (Tom Lane) This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely. Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke) In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order. Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane) This bug has been observed to result in intermittent cannot extract system attribute from virtual tuple failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple. Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane) Formerly the DROP would go through, leading to could not open relation with OID nnn errors when the triggers were eventually fired. Allow replication as a user name in pg_hba.conf (Andrew Dunstan) replication is special in the database name column, but it was mistakenly also treated as special in the user name column. Prevent crash triggered by constant-false WHERE conditions during GEQO optimization (Tom Lane) Improve planner's handling of semi-join and anti-join cases (Tom Lane) Fix handling of SELECT FOR UPDATE in a sub-SELECT (Tom Lane) This bug typically led to cannot extract system attribute from virtual tuple errors. Fix selectivity estimation for text search to account for NULLs (Jesper Krogh) Fix get_actual_variable_range() to support hypothetical indexes injected by an index adviser plugin (Gurjeet Singh) Fix PL/Python memory leak involving array slices (Daniel Popowich) Allow libpq's SSL initialization to succeed when user's home directory is unavailable (Tom Lane) If the SSL mode is such that a root certificate file is not required, there is no need to fail. This change restores the behavior to what it was in pre-9.0 releases. Fix libpq to return a useful error message for errors detected in conninfo_array_parse (Joseph Adams) A typo caused the library to return NULL, rather than the PGconn structure containing the error message, to the application. Fix ecpg preprocessor's handling of float constants (Heikki Linnakangas) Fix parallel pg_restore to handle comments on POST_DATA items correctly (Arnd Hannemann) Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane) Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno) Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane) There was a hard-wired assumption that this system function was not available on MIPS hardware on these systems. Use a compile-time test instead, since more recent versions have it. Fix compilation failures on HP-UX (Heikki Linnakangas) Avoid crash when trying to write to the Windows console very early in process startup (Rushabh Lathia) Support building with MinGW 64 bit compiler for Windows (Andrew Dunstan) Fix version-incompatibility problem with libintl on Windows (Hiroshi Inoue) Fix usage of xcopy in Windows build scripts to work correctly under Windows 7 (Andrew Dunstan) This affects the build scripts only, not installation or usage. Fix path separator used by pg_regress on Cygwin (Andrew Dunstan) Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii. 2011-01-31 This release contains a variety of fixes from 9.0.2. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. Before exiting walreceiver, ensure all the received WAL is fsync'd to disk (Heikki Linnakangas) Otherwise the standby server could replay some un-synced WAL, conceivably leading to data corruption if the system crashes just at that point. Avoid excess fsync activity in walreceiver (Heikki Linnakangas) Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed (Noah Misch) This was broken in 9.0 by a change that was intended to suppress revalidation during VACUUM FULL and CLUSTER, but unintentionally affected ALTER TABLE as well. Fix EvalPlanQual for UPDATE of an inheritance tree in which the tables are not all alike (Tom Lane) Any variation in the table row types (including dropped columns present in only some child tables) would confuse the EvalPlanQual code, leading to misbehavior or even crashes. Since EvalPlanQual is only executed during concurrent updates to the same row, the problem was only seen intermittently. Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane) If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in unexpected CASE WHEN clause errors. Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane) If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane) The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. Fix PL/Python crash when an array contains null entries (Alex Hunsaker) Remove ecpg's fixed length limit for constants defining an array dimension (Michael Meskes) Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane) Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type. Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple) This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.) 2010-12-16 This release contains a variety of fixes from 9.0.1. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp) The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option. Fix too many KnownAssignedXids error during Hot Standby replay (Heikki Linnakangas) Fix race condition in lock acquisition during Hot Standby (Simon Riggs) Avoid unnecessary conflicts during Hot Standby (Simon Riggs) This fixes some cases where replay was considered to conflict with standby queries (causing delay of replay or possibly cancellation of the queries), but there was no real conflict. Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane) This could result in bad buffer id: 0 failures or corruption of index contents during replication. Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis) Fix corner-case bug when streaming replication is enabled immediately after creating the master database cluster (Heikki Linnakangas) Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane) The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. Fix long-term memory leak in autovacuum launcher (Alvaro Herrera) Avoid failure when trying to report an impending transaction wraparound condition from outside a transaction (Tom Lane) This oversight prevented recovery after transaction wraparound got too close, because database startup processing would fail. Add support for detecting register-stack overrun on IA64 (Tom Lane) The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. Add a check for stack overflow in copyObject() (Tom Lane) Certain code paths could crash due to stack overflow given a sufficiently complex query. Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas) It is possible to have a concurrent page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. Fix error checking during early connection processing (Tom Lane) The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays. Improve efficiency of window functions (Tom Lane) Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem. Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane) Ensure an index that uses a whole-row Var still depends on its table (Tom Lane) An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped. Add missing support in DROP OWNED BY for removing foreign data wrapper/server privileges belonging to a user (Heikki Linnakangas) Do not inline a SQL function with multiple OUT parameters (Tom Lane) This avoids a possible crash due to loss of information about the expected result rowtype. Fix crash when inline-ing a set-returning function whose argument list contains a reference to an inline-able user function (Tom Lane) Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane) Make the OFF keyword unreserved (Heikki Linnakangas) This prevents problems with using off as a variable name in PL/pgSQL. That worked before 9.0, but was now broken because PL/pgSQL now treats all core reserved words as reserved. Fix constant-folding of COALESCE() expressions (Tom Lane) The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. Fix could not find pathkey item to sort planner failure with comparison of whole-row Vars (Tom Lane) Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov) Retry after receiving an invalid response packet from a RADIUS authentication server (Magnus Hagander) This fixes a low-risk potential denial of service condition. Fix missed unlink of temporary files when log_temp_files is active (Tom Lane) If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. Add print functionality for InhRelation nodes (Tom Lane) This avoids a failure when debug_print_parse is enabled and certain types of query are executed. Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane) This bug affected several different geometric distance-measurement operators. Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro) Fix errors in psql's Unicode-escape support (Tom Lane) Speed up parallel pg_restore when the archive contains many large objects (blobs) (Tom Lane) Fix PL/pgSQL's handling of simple expressions to not fail in recursion or error-recovery cases (Tom Lane) Fix PL/pgSQL's error reporting for no-such-column cases (Tom Lane) As of 9.0, it would sometimes report missing FROM-clause entry for table foo when record foo has no field bar would be more appropriate. Fix PL/Python to honor typmod (i.e., length or precision restrictions) when assigning to tuple fields (Tom Lane) This fixes a regression from 8.4. Fix PL/Python's handling of set-returning functions (Jan Urbanski) Attempts to call SPI functions within the iterator generating a set result would fail. Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update. Don't emit identifier will be truncated notices in contrib/dblink except when creating new connections (Itagaki Takahiro) Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp) Fix buffer overrun in contrib/pg_upgrade (Hernan Gonzalez) Fix memory leak in contrib/xml2's XPath query functions (Tom Lane) Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong. 2010-10-04 This release contains a variety of fixes from 9.0.0. For information about new features in the 9.0 major release, see . A dump/restore is not required for those running 9.0.X. Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane) This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). Improve pg_get_expr() security fix so that the function can still be used on the output of a sub-select (Tom Lane) Fix incorrect placement of placeholder evaluation (Tom Lane) This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list. Fix join removal's handling of placeholder expressions (Tom Lane) Fix possible duplicate scans of UNION ALL member relations (Tom Lane) Prevent infinite loop in ProcessIncomingNotify() after unlistening (Jeff Davis) Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane) Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane) Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking. Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro) Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others) 2010-09-20 This release of PostgreSQL adds features that have been requested for years, such as easy-to-use replication, a mass permission-changing facility, and anonymous code blocks. While past major releases have been conservative in their scope, this release shows a bold new desire to provide facilities that new and existing users of PostgreSQL will embrace. This has all been done with few incompatibilities. Major enhancements include: Built-in replication based on log shipping. This advance consists of two features: Streaming Replication, allowing continuous archive (WAL) files to be streamed over a network connection to a standby server, and Hot Standby, allowing continuous archive standby servers to execute read-only queries. The net effect is to support a single master with multiple read-only slave servers. Easier database object permissions management. GRANT/REVOKE IN SCHEMA supports mass permissions changes on existing objects, while ALTER DEFAULT PRIVILEGES allows control of privileges for objects created in the future. Large objects (BLOBs) now support permissions management as well. Broadly enhanced stored procedure support. The DO statement supports ad-hoc or anonymous code blocks. Functions can now be called using named parameters. PL/pgSQL is now installed by default, and PL/Perl and PL/Python have been enhanced in several ways, including support for Python3. Full support for 64-bit Windows. More advanced reporting queries, including additional windowing options (PRECEDING and FOLLOWING) and the ability to control the order in which values are fed to aggregate functions. New trigger features, including SQL-standard-compliant per-column triggers and conditional trigger execution. Deferrable unique constraints. Mass updates to unique keys are now possible without trickery. Exclusion constraints. These provide a generalized version of unique constraints, allowing enforcement of complex conditions. New and enhanced security features, including RADIUS authentication, LDAP authentication improvements, and a new contrib module passwordcheck for testing password strength. New high-performance implementation of the LISTEN/NOTIFY feature. Pending events are now stored in a memory-based queue rather than a table. Also, a payload string can be sent with each event, rather than transmitting just an event name as before. New implementation of VACUUM FULL. This command now rewrites the entire table and indexes, rather than moving individual rows to compact space. It is substantially faster in most cases, and no longer results in index bloat. New contrib module pg_upgrade to support in-place upgrades from 8.3 or 8.4 to 9.0. Multiple performance enhancements for specific types of queries, including elimination of unnecessary joins. This helps optimize some automatically-generated queries, such as those produced by object-relational mappers (ORMs). EXPLAIN enhancements. The output is now available in JSON, XML, or YAML format, and includes buffer utilization and other data not previously available. hstore improvements, including new functions and greater data capacity. The above items are explained in more detail in the sections below. A dump/restore using pg_dump, or use of pg_upgrade, is required for those wishing to migrate data from any previous release. Version 9.0 contains a number of changes that selectively break backwards compatibility in order to support new features and code quality improvements. In particular, users who make extensive use of PL/pgSQL, Point-In-Time Recovery (PITR), or Warm Standby should test their applications because of slight user-visible changes in those areas. Observe the following incompatibilities: Remove server parameter add_missing_from, which was defaulted to off for many years (Tom Lane) Remove server parameter regex_flavor, which was defaulted to advanced for many years (Tom Lane) archive_mode now only affects archive_command; a new setting, wal_level, affects the contents of the write-ahead log (Heikki Linnakangas) log_temp_files now uses default file size units of kilobytes (Robert Haas) When querying a parent table, do not do any separate permission checks on child tables scanned as part of the query (Peter Eisentraut) The SQL standard specifies this behavior, and it is also much more convenient in practice than the former behavior of checking permissions on each child as well as the parent. bytea output now appears in hex format by default (Peter Eisentraut) The server parameter bytea_output can be used to select the traditional output format if needed for compatibility. Array input now considers only plain ASCII whitespace characters to be potentially ignorable; it will never ignore non-ASCII characters, even if they are whitespace according to some locales (Tom Lane) This avoids some corner cases where array values could be interpreted differently depending on the server's locale settings. Improve standards compliance of SIMILAR TO patterns and SQL-style substring() patterns (Tom Lane) This includes treating ? and {...} as pattern metacharacters, while they were simple literal characters before; that corresponds to new features added in SQL:2008. Also, ^ and $ are now treated as simple literal characters; formerly they were treated as metacharacters, as if the pattern were following POSIX rather than SQL rules. Also, in SQL-standard substring(), use of parentheses for nesting no longer interferes with capturing of a substring. Also, processing of bracket expressions (character classes) is now more standards-compliant. Reject negative length values in 3-parameter substring() for bit strings, per the SQL standard (Tom Lane) Make date_trunc truncate rather than round when reducing precision of fractional seconds (Tom Lane) The code always acted this way for integer-based dates/times. Now float-based dates/times behave similarly. Tighten enforcement of column name consistency during RENAME when a child table inherits the same column from multiple unrelated parents (KaiGai Kohei) No longer automatically rename indexes and index columns when the underlying table columns are renamed (Tom Lane) Administrators can still rename such indexes and columns manually. This change will require an update of the JDBC driver, and possibly other drivers, so that unique indexes are correctly recognized after a rename. CREATE OR REPLACE FUNCTION can no longer change the declared names of function parameters (Pavel Stehule) In order to avoid creating ambiguity in named-parameter calls, it is no longer allowed to change the aliases for input parameters in the declaration of an existing function (although names can still be assigned to previously unnamed parameters). You now have to DROP and recreate the function to do that. PL/pgSQL now throws an error if a variable name conflicts with a column name used in a query (Tom Lane) The former behavior was to bind ambiguous names to PL/pgSQL variables in preference to query columns, which often resulted in surprising misbehavior. Throwing an error allows easy detection of ambiguous situations. Although it's recommended that functions encountering this type of error be modified to remove the conflict, the old behavior can be restored if necessary via the configuration parameter plpgsql.variable_conflict, or via the per-function option #variable_conflict. PL/pgSQL no longer allows variable names that match certain SQL reserved words (Tom Lane) This is a consequence of aligning the PL/pgSQL parser to match the core SQL parser more closely. If necessary, variable names can be double-quoted to avoid this restriction. PL/pgSQL now requires columns of composite results to match the expected type modifier as well as base type (Pavel Stehule, Tom Lane) For example, if a column of the result type is declared as NUMERIC(30,2), it is no longer acceptable to return a NUMERIC of some other precision in that column. Previous versions neglected to check the type modifier and would thus allow result rows that didn't actually conform to the declared restrictions. PL/pgSQL now treats selection into composite fields more consistently (Tom Lane) Formerly, a statement like SELECT ... INTO rec.fld FROM ... was treated as a scalar assignment even if the record field fld was of composite type. Now it is treated as a record assignment, the same as when the INTO target is a regular variable of composite type. So the values to be assigned to the field's subfields should be written as separate columns of the SELECT list, not as a ROW(...) construct as in previous versions. If you need to do this in a way that will work in both 9.0 and previous releases, you can write something like rec.fld := ROW(...) FROM .... Remove PL/pgSQL's RENAME declaration (Tom Lane) Instead of RENAME, use ALIAS, which can now create an alias for any variable, not only dollar sign parameter names (such as $1) as before. Deprecate use of => as an operator name (Robert Haas) Future versions of PostgreSQL will probably reject this operator name entirely, in order to support the SQL-standard notation for named function parameters. For the moment, it is still allowed, but a warning is emitted when such an operator is defined. Remove support for platforms that don't have a working 64-bit integer data type (Tom Lane) It is believed all still-supported platforms have working 64-bit integer data types. Version 9.0 has an unprecedented number of new major features, and over 200 enhancements, improvements, new commands, new functions, and other changes. PostgreSQL's existing standby-server capability has been expanded both to support read-only queries on standby servers and to greatly reduce the lag between master and standby servers. For many users, this will be a useful and low-administration form of replication, either for high availability or for horizontal scalability. Allow a standby server to accept read-only queries (Simon Riggs, Heikki Linnakangas) This feature is called Hot Standby. There are new postgresql.conf and recovery.conf settings to control this feature, as well as extensive documentation. Allow write-ahead log (WAL) data to be streamed to a standby server (Fujii Masao, Heikki Linnakangas) This feature is called Streaming Replication. Previously WAL data could be sent to standby servers only in units of entire WAL files (normally 16 megabytes each). Streaming Replication eliminates this inefficiency and allows updates on the master to be propagated to standby servers with very little delay. There are new postgresql.conf and recovery.conf settings to control this feature, as well as extensive documentation. Add pg_last_xlog_receive_location() and pg_last_xlog_replay_location(), which can be used to monitor standby server WAL activity (Simon Riggs, Fujii Masao, Heikki Linnakangas) Allow per-tablespace values to be set for sequential and random page cost estimates (seq_page_cost/random_page_cost) via ALTER TABLESPACE ... SET/RESET (Robert Haas) Improve performance and reliability of EvalPlanQual rechecks in join queries (Tom Lane) UPDATE, DELETE, and SELECT FOR UPDATE/SHARE queries that involve joins will now behave much better when encountering freshly-updated rows. Improve performance of TRUNCATE when the table was created or truncated earlier in the same transaction (Tom Lane) Improve performance of finding inheritance child tables (Tom Lane) Remove unnecessary outer joins (Robert Haas) Outer joins where the inner side is unique and not referenced above the join are unnecessary and are therefore now removed. This will accelerate many automatically generated queries, such as those created by object-relational mappers (ORMs). Allow IS NOT NULL restrictions to use indexes (Tom Lane) This is particularly useful for finding MAX()/MIN() values in indexes that contain many null values. Improve the optimizer's choices about when to use materialize nodes, and when to use sorting versus hashing for DISTINCT (Tom Lane) Improve the optimizer's equivalence detection for expressions involving boolean <> operators (Tom Lane) Use the same random seed every time GEQO plans a query (Andres Freund) While the Genetic Query Optimizer (GEQO) still selects random plans, it now always selects the same random plans for identical queries, thus giving more consistent performance. You can modify geqo_seed to experiment with alternative plans. Improve GEQO plan selection (Tom Lane) This avoids the rare error failed to make a valid plan, and should also improve planning speed. Improve ANALYZE to support inheritance-tree statistics (Tom Lane) This is particularly useful for partitioned tables. However, autovacuum does not yet automatically re-analyze parent tables when child tables change. Improve autovacuum's detection of when re-analyze is necessary (Tom Lane) Improve optimizer's estimation for greater/less-than comparisons (Tom Lane) When looking up statistics for greater/less-than comparisons, if the comparison value is in the first or last histogram bucket, use an index (if available) to fetch the current actual column minimum or maximum. This greatly improves the accuracy of estimates for comparison values near the ends of the data range, particularly if the range is constantly changing due to addition of new data. Allow setting of number-of-distinct-values statistics using ALTER TABLE (Robert Haas) This allows users to override the estimated number or percentage of distinct values for a column. This statistic is normally computed by ANALYZE, but the estimate can be poor, especially on tables with very large numbers of rows. Add support for RADIUS (Remote Authentication Dial In User Service) authentication (Magnus Hagander) Allow LDAP (Lightweight Directory Access Protocol) authentication to operate in search/bind mode (Robert Fleming, Magnus Hagander) This allows the user to be looked up first, then the system uses the DN (Distinguished Name) returned for that user. Add samehost and samenet designations to pg_hba.conf (Stef Walter) These match the server's IP address and subnet address respectively. Pass trusted SSL root certificate names to the client so the client can return an appropriate client certificate (Craig Ringer) Add the ability for clients to set an application name, which is displayed in pg_stat_activity (Dave Page) This allows administrators to characterize database traffic and troubleshoot problems by source application. Add a SQLSTATE option (%e) to log_line_prefix (Guillaume Smet) This allows users to compile statistics on errors and messages by error code number. Write to the Windows event log in UTF16 encoding (Itagaki Takahiro) Now there is true multilingual support for PostgreSQL log messages on Windows. Add pg_stat_reset_shared('bgwriter') to reset the cluster-wide shared statistics for the background writer (Greg Smith) Add pg_stat_reset_single_table_counters() and pg_stat_reset_single_function_counters() to allow resetting the statistics counters for individual tables and functions (Magnus Hagander) Allow setting of configuration parameters based on database/role combinations (Alvaro Herrera) Previously only per-database and per-role settings were possible, not combinations. All role and database settings are now stored in the new pg_db_role_setting system catalog. A new psql command \drds shows these settings. The legacy system views pg_roles, pg_shadow, and pg_user do not show combination settings, and therefore no longer completely represent the configuration for a user or database. Add server parameter bonjour, which controls whether a Bonjour-enabled server advertises itself via Bonjour (Tom Lane) The default is off, meaning it does not advertise. This allows packagers to distribute Bonjour-enabled builds without worrying that individual users might not want the feature. Add server parameter enable_material, which controls the use of materialize nodes in the optimizer (Robert Haas) The default is on. When off, the optimizer will not add materialize nodes purely for performance reasons, though they will still be used when necessary for correctness. Change server parameter log_temp_files to use default file size units of kilobytes (Robert Haas) Previously this setting was interpreted in bytes if no units were specified. Log changes of parameter values when postgresql.conf is reloaded (Peter Eisentraut) This lets administrators and security staff audit changes of database settings, and is also very convenient for checking the effects of postgresql.conf edits. Properly enforce superuser permissions for custom server parameters (Tom Lane) Non-superusers can no longer issue ALTER ROLE/DATABASE SET for parameters that are not currently known to the server. This allows the server to correctly check that superuser-only parameters are only set by superusers. Previously, the SET would be allowed and then ignored at session start, making superuser-only custom parameters much less useful than they should be. Perform SELECT FOR UPDATE/SHARE processing after applying LIMIT, so the number of rows returned is always predictable (Tom Lane) Previously, changes made by concurrent transactions could cause a SELECT FOR UPDATE to unexpectedly return fewer rows than specified by its LIMIT. FOR UPDATE in combination with ORDER BY can still produce surprising results, but that can be corrected by placing FOR UPDATE in a subquery. Allow mixing of traditional and SQL-standard LIMIT/OFFSET syntax (Tom Lane) Extend the supported frame options in window functions (Hitoshi Harada) Frames can now start with CURRENT ROW, and the ROWS n PRECEDING/FOLLOWING options are now supported. Make SELECT INTO and CREATE TABLE AS return row counts to the client in their command tags (Boszormenyi Zoltan) This can save an entire round-trip to the client, allowing result counts and pagination to be calculated without an additional COUNT query. Support Unicode surrogate pairs (dual 16-bit representation) in U& strings and identifiers (Peter Eisentraut) Support Unicode escapes in E'...' strings (Marko Kreen) Speed up CREATE DATABASE by deferring flushes to disk (Andres Freund, Greg Stark) Allow comments on columns of tables, views, and composite types only, not other relation types such as indexes and TOAST tables (Tom Lane) Allow the creation of enumerated types containing no values (Bruce Momjian) Let values of columns having storage type MAIN remain on the main heap page unless the row cannot fit on a page (Kevin Grittner) Previously MAIN values were forced out to TOAST tables until the row size was less than one-quarter of the page size. Implement IF EXISTS for ALTER TABLE DROP COLUMN and ALTER TABLE DROP CONSTRAINT (Andres Freund) Allow ALTER TABLE commands that rewrite tables to skip WAL logging (Itagaki Takahiro) Such operations either produce a new copy of the table or are rolled back, so WAL archiving can be skipped, unless running in continuous archiving mode. This reduces I/O overhead and improves performance. Fix failure of ALTER TABLE table ADD COLUMN col serial when done by non-owner of table (Tom Lane) Add support for copying COMMENTS and STORAGE settings in CREATE TABLE ... LIKE commands (Itagaki Takahiro) Add a shortcut for copying all properties in CREATE TABLE ... LIKE commands (Itagaki Takahiro) Add the SQL-standard CREATE TABLE ... OF type command (Peter Eisentraut) This allows creation of a table that matches an existing composite type. Additional constraints and defaults can be specified in the command. Add deferrable unique constraints (Dean Rasheed) This allows mass updates, such as UPDATE tab SET col = col + 1, to work reliably on columns that have unique indexes or are marked as primary keys. If the constraint is specified as DEFERRABLE it will be checked at the end of the statement, rather than after each row is updated. The constraint check can also be deferred until the end of the current transaction, allowing such updates to be spread over multiple SQL commands. Add exclusion constraints (Jeff Davis) Exclusion constraints generalize uniqueness constraints by allowing arbitrary comparison operators, not just equality. They are created with the CREATE TABLE CONSTRAINT ... EXCLUDE clause. The most common use of exclusion constraints is to specify that column entries must not overlap, rather than simply not be equal. This is useful for time periods and other ranges, as well as arrays. This feature enhances checking of data integrity for many calendaring, time-management, and scientific applications. Improve uniqueness-constraint violation error messages to report the values causing the failure (Itagaki Takahiro) For example, a uniqueness constraint violation might now report Key (x)=(2) already exists. Add the ability to make mass permission changes across a whole schema using the new GRANT/REVOKE IN SCHEMA clause (Petr Jelinek) This simplifies management of object permissions and makes it easier to utilize database roles for application data security. Add ALTER DEFAULT PRIVILEGES command to control privileges of objects created later (Petr Jelinek) This greatly simplifies the assignment of object privileges in a complex database application. Default privileges can be set for tables, views, sequences, and functions. Defaults may be assigned on a per-schema basis, or database-wide. Add the ability to control large object (BLOB) permissions with GRANT/REVOKE (KaiGai Kohei) Formerly, any database user could read or modify any large object. Read and write permissions can now be granted and revoked per large object, and the ownership of large objects is tracked. Make LISTEN/NOTIFY store pending events in a memory queue, rather than in a system table (Joachim Wieland) This substantially improves performance, while retaining the existing features of transactional support and guaranteed delivery. Allow NOTIFY to pass an optional payload string to listeners (Joachim Wieland) This greatly improves the usefulness of LISTEN/NOTIFY as a general-purpose event queue system. Allow CLUSTER on all per-database system catalogs (Tom Lane) Shared catalogs still cannot be clustered. Accept COPY ... CSV FORCE QUOTE * (Itagaki Takahiro) Now * can be used as shorthand for all columns in the FORCE QUOTE clause. Add new COPY syntax that allows options to be specified inside parentheses (Robert Haas, Emmanuel Cecchet) This allows greater flexibility for future COPY options. The old syntax is still supported, but only for pre-existing options. Allow EXPLAIN to output in XML, JSON, or YAML format (Robert Haas, Greg Sabino Mullane) The new output formats are easily machine-readable, supporting the development of new tools for analysis of EXPLAIN output. Add new BUFFERS option to report query buffer usage during EXPLAIN ANALYZE (Itagaki Takahiro) This allows better query profiling for individual queries. Buffer usage is no longer reported in the output for log_statement_stats and related settings. Add hash usage information to EXPLAIN output (Robert Haas) Add new EXPLAIN syntax that allows options to be specified inside parentheses (Robert Haas) This allows greater flexibility for future EXPLAIN options. The old syntax is still supported, but only for pre-existing options. Change VACUUM FULL to rewrite the entire table and rebuild its indexes, rather than moving individual rows around to compact space (Itagaki Takahiro, Tom Lane) The previous method was usually slower and caused index bloat. Note that the new method will use more disk space transiently during VACUUM FULL; potentially as much as twice the space normally occupied by the table and its indexes. Add new VACUUM syntax that allows options to be specified inside parentheses (Itagaki Takahiro) This allows greater flexibility for future VACUUM options. The old syntax is still supported, but only for pre-existing options. Allow an index to be named automatically by omitting the index name in CREATE INDEX (Tom Lane) By default, multicolumn indexes are now named after all their columns; and index expression columns are now named based on their expressions (Tom Lane) Reindexing shared system catalogs is now fully transactional and crash-safe (Tom Lane) Formerly, reindexing a shared index was only allowed in standalone mode, and a crash during the operation could leave the index in worse condition than it was before. Add point_ops operator class for GiST (Teodor Sigaev) This feature permits GiST indexing of point columns. The index can be used for several types of queries such as point <@ polygon (point is in polygon). This should make many PostGIS queries faster. Use red-black binary trees for GIN index creation (Teodor Sigaev) Red-black trees are self-balancing. This avoids slowdowns in cases where the input is in nonrandom order. Allow bytea values to be written in hex notation (Peter Eisentraut) The server parameter bytea_output controls whether hex or traditional format is used for bytea output. Libpq's PQescapeByteaConn() function automatically uses the hex format when connected to PostgreSQL 9.0 or newer servers. However, pre-9.0 libpq versions will not correctly process hex format from newer servers. The new hex format will be directly compatible with more applications that use binary data, allowing them to store and retrieve it without extra conversion. It is also significantly faster to read and write than the traditional format. Allow server parameter extra_float_digits to be increased to 3 (Tom Lane) The previous maximum extra_float_digits setting was 2. There are cases where 3 digits are needed to dump and restore float4 values exactly. pg_dump will now use the setting of 3 when dumping from a server that allows it. Tighten input checking for int2vector values (Caleb Welton) Add prefix support in synonym dictionaries (Teodor Sigaev) Add filtering dictionaries (Teodor Sigaev) Filtering dictionaries allow tokens to be modified then passed to subsequent dictionaries. Allow underscores in email-address tokens (Teodor Sigaev) Use more standards-compliant rules for parsing URL tokens (Tom Lane) Allow function calls to supply parameter names and match them to named parameters in the function definition (Pavel Stehule) For example, if a function is defined to take parameters a and b, it can be called with func(a := 7, b := 12) or func(b := 12, a := 7). Support locale-specific regular expression processing with UTF-8 server encoding (Tom Lane) Locale-specific regular expression functionality includes case-insensitive matching and locale-specific character classes. Previously, these features worked correctly for non-ASCII characters only if the database used a single-byte server encoding (such as LATIN1). They will still misbehave in multi-byte encodings other than UTF-8. Add support for scientific notation in to_char() (EEEE specification) (Pavel Stehule, Brendan Jurd) Make to_char() honor FM (fill mode) in Y, YY, and YYY specifications (Bruce Momjian, Tom Lane) It was already honored by YYYY. Fix to_char() to output localized numeric and monetary strings in the correct encoding on Windows (Hiroshi Inoue, Itagaki Takahiro, Bruce Momjian) Correct calculations of overlaps and contains operations for polygons (Teodor Sigaev) The polygon && (overlaps) operator formerly just checked to see if the two polygons' bounding boxes overlapped. It now does a more correct check. The polygon @> and <@ (contains/contained by) operators formerly checked to see if one polygon's vertexes were all contained in the other; this can wrongly report true for some non-convex polygons. Now they check that all line segments of one polygon are contained in the other. Allow aggregate functions to use ORDER BY (Andrew Gierth) For example, this is now supported: array_agg(a ORDER BY b). This is useful with aggregates for which the order of input values is significant, and eliminates the need to use a nonstandard subquery to determine the ordering. Multi-argument aggregate functions can now use DISTINCT (Andrew Gierth) Add the string_agg() aggregate function to combine values into a single string (Pavel Stehule) Aggregate functions that are called with DISTINCT are now passed NULL values if the aggregate transition function is not marked as STRICT (Andrew Gierth) For example, agg(DISTINCT x) might pass a NULL x value to agg(). This is more consistent with the behavior in non-DISTINCT cases. Add get_bit() and set_bit() functions for bit strings, mirroring those for bytea (Leonardo F) Implement OVERLAY() (replace) for bit strings and bytea (Leonardo F) Add pg_table_size() and pg_indexes_size() to provide a more user-friendly interface to the pg_relation_size() function (Bernd Helmle) Add has_sequence_privilege() for sequence permission checking (Abhijit Menon-Sen) Update the information_schema views to conform to SQL:2008 (Peter Eisentraut) Make the information_schema views correctly display maximum octet lengths for char and varchar columns (Peter Eisentraut) Speed up information_schema privilege views (Joachim Wieland) Support execution of anonymous code blocks using the DO statement (Petr Jelinek, Joshua Tolley, Hannu Valtonen) This allows execution of server-side code without the need to create and delete a temporary function definition. Code can be executed in any language for which the user has permissions to define a function. Implement SQL-standard-compliant per-column triggers (Itagaki Takahiro) Such triggers are fired only when the specified column(s) are affected by the query, e.g. appear in an UPDATE's SET list. Add the WHEN clause to CREATE TRIGGER to allow control over whether a trigger is fired (Itagaki Takahiro) While the same type of check can always be performed inside the trigger, doing it in an external WHEN clause can have performance benefits. Add the OR REPLACE clause to CREATE LANGUAGE (Tom Lane) This is helpful to optionally install a language if it does not already exist, and is particularly helpful now that PL/pgSQL is installed by default. Install PL/pgSQL by default (Bruce Momjian) The language can still be removed from a particular database if the administrator has security or performance concerns about making it available. Improve handling of cases where PL/pgSQL variable names conflict with identifiers used in queries within a function (Tom Lane) The default behavior is now to throw an error when there is a conflict, so as to avoid surprising behaviors. This can be modified, via the configuration parameter plpgsql.variable_conflict or the per-function option #variable_conflict, to allow either the variable or the query-supplied column to be used. In any case PL/pgSQL will no longer attempt to substitute variables in places where they would not be syntactically valid. Make PL/pgSQL use the main lexer, rather than its own version (Tom Lane) This ensures accurate tracking of the main system's behavior for details such as string escaping. Some user-visible details, such as the set of keywords considered reserved in PL/pgSQL, have changed in consequence. Avoid throwing an unnecessary error for an invalid record reference (Tom Lane) An error is now thrown only if the reference is actually fetched, rather than whenever the enclosing expression is reached. For example, many people have tried to do this in triggers: if TG_OP = 'INSERT' and NEW.col1 = ... then This will now actually work as expected. Improve PL/pgSQL's ability to handle row types with dropped columns (Pavel Stehule) Allow input parameters to be assigned values within PL/pgSQL functions (Steve Prentice) Formerly, input parameters were treated as being declared CONST, so the function's code could not change their values. This restriction has been removed to simplify porting of functions from other DBMSes that do not impose the equivalent restriction. An input parameter now acts like a local variable initialized to the passed-in value. Improve error location reporting in PL/pgSQL (Tom Lane) Add count and ALL options to MOVE FORWARD/BACKWARD in PL/pgSQL (Pavel Stehule) Allow PL/pgSQL's WHERE CURRENT OF to use a cursor variable (Tom Lane) Allow PL/pgSQL's OPEN cursor FOR EXECUTE to use parameters (Pavel Stehule, Itagaki Takahiro) This is accomplished with a new USING clause. Add new PL/Perl functions: quote_literal(), quote_nullable(), quote_ident(), encode_bytea(), decode_bytea(), looks_like_number(), encode_array_literal(), encode_array_constructor() (Tim Bunce) Add server parameter plperl.on_init to specify a PL/Perl initialization function (Tim Bunce) plperl.on_plperl_init and plperl.on_plperlu_init are also available for initialization that is specific to the trusted or untrusted language respectively. Support END blocks in PL/Perl (Tim Bunce) END blocks do not currently allow database access. Allow use strict in PL/Perl (Tim Bunce) Perl strict checks can also be globally enabled with the new server parameter plperl.use_strict. Allow require in PL/Perl (Tim Bunce) This basically tests to see if the module is loaded, and if not, generates an error. It will not allow loading of modules that the administrator has not preloaded via the initialization parameters. Allow use feature in PL/Perl if Perl version 5.10 or later is used (Tim Bunce) Verify that PL/Perl return values are valid in the server encoding (Andrew Dunstan) Add Unicode support in PL/Python (Peter Eisentraut) Strings are automatically converted from/to the server encoding as necessary. Improve bytea support in PL/Python (Caleb Welton) Bytea values passed into PL/Python are now represented as binary, rather than the PostgreSQL bytea text format. Bytea values containing null bytes are now also output properly from PL/Python. Passing of boolean, integer, and float values was also improved. Support arrays as parameters and return values in PL/Python (Peter Eisentraut) Improve mapping of SQL domains to Python types (Peter Eisentraut) Add Python 3 support to PL/Python (Peter Eisentraut) The new server-side language is called plpython3u. This cannot be used in the same session with the Python 2 server-side language. Improve error location and exception reporting in PL/Python (Peter Eisentraut) Add an --analyze-only option to vacuumdb, to analyze without vacuuming (Bruce Momjian) Add support for quoting/escaping the values of psql variables as SQL strings or identifiers (Pavel Stehule, Robert Haas) For example, :'var' will produce the value of var quoted and properly escaped as a literal string, while :"var" will produce its value quoted and escaped as an identifier. Ignore a leading UTF-8-encoded Unicode byte-order marker in script files read by psql (Itagaki Takahiro) This is enabled when the client encoding is UTF-8. It improves compatibility with certain editors, mostly on Windows, that insist on inserting such markers. Fix psql --file - to properly honor --single-transaction (Bruce Momjian) Avoid overwriting of psql's command-line history when two psql sessions are run concurrently (Tom Lane) Improve psql's tab completion support (Itagaki Takahiro) Show \timing output when it is enabled, regardless of quiet mode (Peter Eisentraut) Improve display of wrapped columns in psql (Roger Leigh) This behavior is now the default. The previous formatting is available by using \pset linestyle old-ascii. Allow psql to use fancy Unicode line-drawing characters via \pset linestyle unicode (Roger Leigh) Make \d show child tables that inherit from the specified parent (Damien Clochard) \d shows only the number of child tables, while \d+ shows the names of all child tables. Show definitions of index columns in \d index_name (Khee Chin) The definition is useful for expression indexes. Show a view's defining query only in \d+, not in \d (Peter Eisentraut) Always including the query was deemed overly verbose. Make pg_dump/pg_restore --clean also remove large objects (Itagaki Takahiro) Fix pg_dump to properly dump large objects when standard_conforming_strings is enabled (Tom Lane) The previous coding could fail when dumping to an archive file and then generating script output from pg_restore. pg_restore now emits large-object data in hex format when generating script output (Tom Lane) This could cause compatibility problems if the script is then loaded into a pre-9.0 server. To work around that, restore directly to the server, instead. Allow pg_dump to dump comments attached to columns of composite types (Taro Minowa (Higepon)) Make pg_dump --verbose output the pg_dump and server versions in text output mode (Jim Cox, Tom Lane) These were already provided in custom output mode. pg_restore now complains if any command-line arguments remain after the switches and optional file name (Tom Lane) Previously, it silently ignored any such arguments. Allow pg_ctl to be used safely to start the postmaster during a system reboot (Tom Lane) Previously, pg_ctl's parent process could have been mistakenly identified as a running postmaster based on a stale postmaster lock file, resulting in a transient failure to start the database. Give pg_ctl the ability to initialize the database (by invoking initdb) (Zdenek Kotala) Add new libpq functions PQconnectdbParams() and PQconnectStartParams() (Guillaume Lelarge) These functions are similar to PQconnectdb() and PQconnectStart() except that they accept a null-terminated array of connection options, rather than requiring all options to be provided in a single string. Add libpq functions PQescapeLiteral() and PQescapeIdentifier() (Robert Haas) These functions return appropriately quoted and escaped SQL string literals and identifiers. The caller is not required to pre-allocate the string result, as is required by PQescapeStringConn(). Add support for a per-user service file (.pg_service.conf), which is checked before the site-wide service file (Peter Eisentraut) Properly report an error if the specified libpq service cannot be found (Peter Eisentraut) Add TCP keepalive settings in libpq (Tollef Fog Heen, Fujii Masao, Robert Haas) Keepalive settings were already supported on the server end of TCP connections. Avoid extra system calls to block and unblock SIGPIPE in libpq, on platforms that offer alternative methods (Jeremy Kerr) When a .pgpass-supplied password fails, mention where the password came from in the error message (Bruce Momjian) Load all SSL certificates given in the client certificate file (Tom Lane) This improves support for indirectly-signed SSL certificates. Add SQLDA (SQL Descriptor Area) support to ecpg (Boszormenyi Zoltan) Add the DESCRIBE [ OUTPUT ] statement to ecpg (Boszormenyi Zoltan) Add an ECPGtransactionStatus function to return the current transaction status (Bernd Helmle) Add the string data type in ecpg Informix-compatibility mode (Boszormenyi Zoltan) Allow ecpg to use new and old variable names without restriction (Michael Meskes) Allow ecpg to use variable names in free() (Michael Meskes) Make ecpg_dynamic_type() return zero for non-SQL3 data types (Michael Meskes) Previously it returned the negative of the data type OID. This could be confused with valid type OIDs, however. Support long long types on platforms that already have 64-bit long (Michael Meskes) Add out-of-scope cursor support in ecpg's native mode (Boszormenyi Zoltan) This allows DECLARE to use variables that are not in scope when OPEN is called. This facility already existed in ecpg's Informix-compatibility mode. Allow dynamic cursor names in ecpg (Boszormenyi Zoltan) Allow ecpg to use noise words FROM and IN in FETCH and MOVE (Boszormenyi Zoltan) Enable client thread safety by default (Bruce Momjian) The thread-safety option can be disabled with configure --disable-thread-safety. Add support for controlling the Linux out-of-memory killer (Alex Hunsaker, Tom Lane) Now that /proc/self/oom_adj allows disabling of the Linux out-of-memory (OOM) killer, it's recommendable to disable OOM kills for the postmaster. It may then be desirable to re-enable OOM kills for the postmaster's child processes. The new compile-time option LINUX_OOM_ADJ allows the killer to be reactivated for child processes. New Makefile targets world, install-world, and installcheck-world (Andrew Dunstan) These are similar to the existing all, install, and installcheck targets, but they also build the HTML documentation, build and test contrib, and test server-side languages and ecpg. Add data and documentation installation location control to PGXS Makefiles (Mark Cave-Ayland) Add Makefile rules to build the PostgreSQL documentation as a single HTML file or as a single plain-text file (Peter Eisentraut, Bruce Momjian) Support compiling on 64-bit Windows and running in 64-bit mode (Tsutomu Yamada, Magnus Hagander) This allows for large shared memory sizes on Windows. Support server builds using Visual Studio 2008 (Magnus Hagander) Distribute prebuilt documentation in a subdirectory tree, rather than as tar archive files inside the distribution tarball (Peter Eisentraut) For example, the prebuilt HTML documentation is now in doc/src/sgml/html/; the manual pages are packaged similarly. Make the server's lexer reentrant (Tom Lane) This was needed for use of the lexer by PL/pgSQL. Improve speed of memory allocation (Tom Lane, Greg Stark) User-defined constraint triggers now have entries in pg_constraint as well as pg_trigger (Tom Lane) Because of this change, pg_constraint.pgconstrname is now redundant and has been removed. Add system catalog columns pg_constraint.conindid and pg_trigger.tgconstrindid to better document the use of indexes for constraint enforcement (Tom Lane) Allow multiple conditions to be communicated to backends using a single operating system signal (Fujii Masao) This allows new features to be added without a platform-specific constraint on the number of signal conditions. Improve source code test coverage, including contrib, PL/Python, and PL/Perl (Peter Eisentraut, Andrew Dunstan) Remove the use of flat files for system table bootstrapping (Tom Lane, Alvaro Herrera) This improves performance when using many roles or databases, and eliminates some possible failure conditions. Automatically generate the initial contents of pg_attribute for bootstrapped catalogs (John Naylor) This greatly simplifies changes to these catalogs. Split the processing of INSERT/UPDATE/DELETE operations out of execMain.c (Marko Tiikkaja) Updates are now executed in a separate ModifyTable node. This change is necessary infrastructure for future improvements. Simplify translation of psql's SQL help text (Peter Eisentraut) Reduce the lengths of some file names so that all file paths in the distribution tarball are less than 100 characters (Tom Lane) Some decompression programs have problems with longer file paths. Add a new ERRCODE_INVALID_PASSWORD SQLSTATE error code (Bruce Momjian) With authors' permissions, remove the few remaining personal source code copyright notices (Bruce Momjian) The personal copyright notices were insignificant but the community occasionally had to answer questions about them. Add new documentation section about running PostgreSQL in non-durable mode to improve performance (Bruce Momjian) Restructure the HTML documentation Makefile rules to make their dependency checks work correctly, avoiding unnecessary rebuilds (Peter Eisentraut) Use DocBook XSL stylesheets for man page building, rather than Docbook2X (Peter Eisentraut) This changes the set of tools needed to build the man pages. Improve PL/Perl code structure (Tim Bunce) Improve error context reports in PL/Perl (Alexey Klyukin) Note that these requirements do not apply when building from a distribution tarball, since tarballs include the files that these programs are used to build. Require Autoconf 2.63 to build configure (Peter Eisentraut) Require Flex 2.5.31 or later to build from a CVS checkout (Tom Lane) Require Perl version 5.8 or later to build from a CVS checkout (John Naylor, Andrew Dunstan) Use a more modern API for Bonjour (Tom Lane) Bonjour support now requires macOS 10.3 or later. The older API has been deprecated by Apple. Add spinlock support for the SuperH architecture (Nobuhiro Iwamatsu) Allow non-GCC compilers to use inline functions if they support them (Kurt Harriman) Remove support for platforms that don't have a working 64-bit integer data type (Tom Lane) Restructure use of LDFLAGS to be more consistent across platforms (Tom Lane) LDFLAGS is now used for linking both executables and shared libraries, and we add on LDFLAGS_EX when linking executables, or LDFLAGS_SL when linking shared libraries. Make backend header files safe to include in C++ (Kurt Harriman, Peter Eisentraut) These changes remove keyword conflicts that previously made C++ usage difficult in backend code. However, there are still other complexities when using C++ for backend functions. extern "C" { } is still necessary in appropriate places, and memory management and error handling are still problematic. Add AggCheckCallContext() for use in detecting if a C function is being called as an aggregate (Hitoshi Harada) Change calling convention for SearchSysCache() and related functions to avoid hard-wiring the maximum number of cache keys (Robert Haas) Existing calls will still work for the moment, but can be expected to break in 9.1 or later if not converted to the new style. Require calls of fastgetattr() and heap_getattr() backend macros to provide a non-NULL fourth argument (Robert Haas) Custom typanalyze functions should no longer rely on VacAttrStats.attr to determine the type of data they will be passed (Tom Lane) This was changed to allow collection of statistics on index columns for which the storage type is different from the underlying column data type. There are new fields that tell the actual datatype being analyzed. Add parser hooks for processing ColumnRef and ParamRef nodes (Tom Lane) Add a ProcessUtility hook so loadable modules can control utility commands (Itagaki Takahiro) Add contrib/pg_upgrade to support in-place upgrades (Bruce Momjian) This avoids the requirement of dumping/reloading the database when upgrading to a new major release of PostgreSQL, thus reducing downtime by orders of magnitude. It supports upgrades to 9.0 from PostgreSQL 8.3 and 8.4. Add support for preserving relation relfilenode values during binary upgrades (Bruce Momjian) Add support for preserving pg_type and pg_enum OIDs during binary upgrades (Bruce Momjian) Move data files within tablespaces into PostgreSQL-version-specific subdirectories (Bruce Momjian) This simplifies binary upgrades. Add multithreading option (-j) to contrib/pgbench (Itagaki Takahiro) This allows multiple CPUs to be used by pgbench, reducing the risk of pgbench itself becoming the test bottleneck. Add \shell and \setshell meta commands to contrib/pgbench (Michael Paquier) New features for contrib/dict_xsyn (Sergey Karpov) The new options are matchorig, matchsynonyms, and keepsynonyms. Add full text dictionary contrib/unaccent (Teodor Sigaev) This filtering dictionary removes accents from letters, which makes full-text searches over multiple languages much easier. Add dblink_get_notify() to contrib/dblink (Marcus Kempe) This allows asynchronous notifications in dblink. Improve contrib/dblink's handling of dropped columns (Tom Lane) This affects dblink_build_sql_insert() and related functions. These functions now number columns according to logical not physical column numbers. Greatly increase contrib/hstore's data length limit, and add B-tree and hash support so GROUP BY and DISTINCT operations are possible on hstore columns (Andrew Gierth) New functions and operators were also added. These improvements make hstore a full-function key-value store embedded in PostgreSQL. Add contrib/passwordcheck to support site-specific password strength policies (Laurenz Albe) The source code of this module should be modified to implement site-specific password policies. Add contrib/pg_archivecleanup tool (Simon Riggs) This is designed to be used in the archive_cleanup_command server parameter, to remove no-longer-needed archive files. Add query text to contrib/auto_explain output (Andrew Dunstan) Add buffer access counters to contrib/pg_stat_statements (Itagaki Takahiro) Update contrib/start-scripts/linux to use /proc/self/oom_adj to disable the Linux out-of-memory (OOM) killer (Alex Hunsaker, Tom Lane)