Release 9.0.23Release Date2015-10-08
This release contains a variety of fixes from 9.0.22.
For information about new features in the 9.0 major release, see
.
This is expected to be the last PostgreSQL> release
in the 9.0.X series. Users are encouraged to update to a newer
release branch soon.
Migration to Version 9.0.23
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18,
see .
Changes
Fix contrib/pgcrypto> to detect and report
too-short crypt()> salts (Josh Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few
bytes of server memory. We have not ruled out the viability of
attacks that arrange for presence of confidential information in the
disclosed bytes, but they seem unlikely. (CVE-2015-5288)
Fix subtransaction cleanup after a portal (cursor) belonging to an
outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an
assertion failure or crash by referencing a relation created within an
inner subtransaction.
Fix insertion of relations into the relation cache init file>
(Tom Lane)
An oversight in a patch in the most recent minor releases
caused pg_trigger_tgrelid_tgname_index> to be omitted
from the init file. Subsequent sessions detected this, then deemed the
init file to be broken and silently ignored it, resulting in a
significant degradation in session startup time. In addition to fixing
the bug, install some guards so that any similar future mistake will be
more obvious.
Avoid O(N^2) behavior when inserting many tuples into a SPI query
result (Neil Conway)
Improve LISTEN> startup time when there are many unread
notifications (Matt Newell)
Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen
too many bugs in practice, both in the underlying OpenSSL library and
in our usage of it. Renegotiation will be removed entirely in 9.5 and
later. In the older branches, just change the default value
of ssl_renegotiation_limit> to zero (disabled).
Lower the minimum values of the *_freeze_max_age> parameters
(Andres Freund)
This is mainly to make tests of related behavior less time-consuming,
but it may also be of value for installations with limited disk space.
Limit the maximum value of wal_buffers> to 2GB to avoid
server crashes (Josh Berkus)
Fix rare internal overflow in multiplication of numeric> values
(Dean Rasheed)
Guard against hard-to-reach stack overflows involving record types,
range types, json>, jsonb>, tsquery>,
ltxtquery> and query_int> (Noah Misch)
Fix handling of DOW> and DOY> in datetime input
(Greg Stark)
These tokens aren't meant to be used in datetime values, but previously
they resulted in opaque internal error messages rather
than invalid input syntax>.
Add more query-cancel checks to regular expression matching (Tom Lane)
Add recursion depth protections to regular expression, SIMILAR
TO>, and LIKE> matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to
stack-overrun crashes.
Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but
actually doesn't match because of a back reference, could lead to an
infinite loop.
Fix low-memory failures in regular expression compilation
(Andreas Seltenreich)
Fix low-probability memory leak during regular expression execution
(Tom Lane)
Fix rare low-memory failure in lock cleanup during transaction abort
(Tom Lane)
Fix unexpected out-of-memory situation during sort> errors
when using tuplestores with small work_mem> settings (Tom
Lane)
Fix very-low-probability stack overrun in qsort> (Tom Lane)
Fix invalid memory alloc request size> failure in hash joins
with large work_mem> settings (Tomas Vondra, Tom Lane)
Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong
answers, or to assertion failures in assert-enabled builds, or to odd
planner errors such as could not devise a query plan for the
given query>, could not find pathkey item to
sort>, plan should not reference subplan's variable>,
or failed to assign all NestLoopParams to plan nodes>.
Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz
testing that exposed these problems.
Use fuzzy path cost tiebreaking rule in all supported branches (Tom Lane)
This change is meant to avoid platform-specific behavior when
alternative plan choices have effectively-identical estimated costs.
During postmaster shutdown, ensure that per-socket lock files are
removed and listen sockets are closed before we remove
the postmaster.pid> file (Tom Lane)
This avoids race-condition failures if an external script attempts to
start a new postmaster as soon as pg_ctl stop> returns.
Fix postmaster's handling of a startup-process crash during crash
recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without
having restored database consistency, we'd try to launch a new startup
process, which typically would just crash again, leading to an infinite
loop.
Do not print a WARNING> when an autovacuum worker is already
gone when we attempt to signal it, and reduce log verbosity for such
signals (Tom Lane)
Prevent autovacuum launcher from sleeping unduly long if the server
clock is moved backwards a large amount (Álvaro Herrera)
Ensure that cleanup of a GIN index's pending-insertions list is
interruptable by cancel requests (Jeff Janes)
Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
Fix off-by-one error that led to otherwise-harmless warnings
about apparent wraparound> in subtrans/multixact truncation
(Thomas Munro)
Fix misreporting of CONTINUE> and MOVE> statement
types in PL/pgSQL>'s error context messages
(Pavel Stehule, Tom Lane)
Fix some places in PL/Tcl> that neglected to check for
failure of malloc()> calls (Michael Paquier, Álvaro
Herrera)
Improve libpq>'s handling of out-of-memory conditions
(Michael Paquier, Heikki Linnakangas)
Fix memory leaks and missing out-of-memory checks
in ecpg> (Michael Paquier)
Fix psql>'s code for locale-aware formatting of numeric
output (Tom Lane)
The formatting code invoked by \pset numericlocale on>
did the wrong thing for some uncommon cases such as numbers with an
exponent but no decimal point. It could also mangle already-localized
output from the money> data type.
Prevent crash in psql>'s \c> command when
there is no current connection (Noah Misch)
Ensure that temporary files created during a pg_dump>
run with tar>-format output are not world-readable (Michael
Paquier)
Fix pg_dump> and pg_upgrade> to support
cases where the postgres> or template1> database
is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
Fix pg_dump> to handle object privileges sanely when
dumping from a server too old to have a particular privilege type
(Tom Lane)
When dumping functions or procedural languages from pre-7.3
servers, pg_dump> would
produce GRANT>/REVOKE> commands that revoked the
owner's grantable privileges and instead granted all privileges
to PUBLIC>. Since the privileges involved are
just USAGE> and EXECUTE>, this isn't a security
problem, but it's certainly a surprising representation of the older
systems' behavior. Fix it to leave the default privilege state alone
in these cases.
Fix pg_dump> to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for
much, but nonetheless pg_dump> should dump them.
Fix spinlock assembly code for PPC hardware to be compatible
with AIX>'s native assembler (Tom Lane)
Building with gcc> didn't work if gcc>
had been configured to use the native assembler, which is becoming more
common.
On AIX>, test the -qlonglong> compiler option
rather than just assuming it's safe to use (Noah Misch)
On AIX>, use -Wl,-brtllib> link option to allow
symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
Avoid use of inline functions when compiling with
32-bit xlc>, due to compiler bugs (Noah Misch)
Use librt> for sched_yield()> when necessary,
which it is on some Solaris versions (Oskari Saarenmaa)
Fix Windows install.bat> script to handle target directory
names that contain spaces (Heikki Linnakangas)
Make the numeric form of the PostgreSQL> version number
(e.g., 90405>) readily available to extension Makefiles,
as a variable named VERSION_NUM> (Michael Paquier)
Update time zone data files to tzdata> release 2015g for
DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk
Island, North Korea, Turkey, and Uruguay. There is a new zone name
America/Fort_Nelson> for the Canadian Northern Rockies.
Release 9.0.22Release Date2015-06-12
This release contains a small number of fixes from 9.0.21.
For information about new features in the 9.0 major release, see
.
The PostgreSQL> community will stop releasing updates
for the 9.0.X release series in September 2015.
Users are encouraged to update to a newer release branch soon.
Migration to Version 9.0.22
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18,
see .
Changes
Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM
FULL> on a system catalog might fail to update the init file>
that's used to avoid cache-loading work for new sessions. This would
result in later sessions being unable to access that catalog at all.
This is a very ancient bug, but it's so hard to trigger that no
reproducible case had been seen until recently.
Avoid deadlock between incoming sessions and CREATE/DROP
DATABASE> (Tom Lane)
A new session starting in a database that is the target of
a DROP DATABASE> command, or is the template for
a CREATE DATABASE> command, could cause the command to wait
for five seconds and then fail, even if the new session would have
exited before that.
Release 9.0.21Release Date2015-06-04
This release contains a small number of fixes from 9.0.20.
For information about new features in the 9.0 major release, see
.
The PostgreSQL> community will stop releasing updates
for the 9.0.X release series in September 2015.
Users are encouraged to update to a newer release branch soon.
Migration to Version 9.0.21
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18,
see .
Changes
Avoid failures while fsync>'ing data directory during
crash restart (Abhijit Menon-Sen, Tom Lane)
In the previous minor releases we added a patch to fsync>
everything in the data directory after a crash. Unfortunately its
response to any error condition was to fail, thereby preventing the
server from starting up, even when the problem was quite harmless.
An example is that an unwritable file in the data directory would
prevent restart on some platforms; but it is common to make SSL
certificate files unwritable by the server. Revise this behavior so
that permissions failures are ignored altogether, and other types of
failures are logged but do not prevent continuing.
Remove configure>'s check prohibiting linking to a
threaded libpython>
on OpenBSD> (Tom Lane)
The failure this restriction was meant to prevent seems to not be a
problem anymore on current OpenBSD>
versions.
Allow libpq> to use TLS protocol versions beyond v1
(Noah Misch)
For a long time, libpq> was coded so that the only SSL
protocol it would allow was TLS v1. Now that newer TLS versions are
becoming popular, allow it to negotiate the highest commonly-supported
TLS version with the server. (PostgreSQL> servers were
already capable of such negotiation, so no change is needed on the
server side.) This is a back-patch of a change already released in
9.4.0.
Release 9.0.20Release Date2015-05-22
This release contains a variety of fixes from 9.0.19.
For information about new features in the 9.0 major release, see
.
The PostgreSQL> community will stop releasing updates
for the 9.0.X release series in September 2015.
Users are encouraged to update to a newer release branch soon.
Migration to Version 9.0.20
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18,
see .
Changes
Avoid possible crash when client disconnects just before the
authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown
sequence, SSL-related state would be freed twice, typically causing a
crash and hence denial of service to other sessions. Experimentation
shows that an unauthenticated remote attacker could trigger the bug
somewhat consistently, hence treat as security issue.
(CVE-2015-3165)
Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()> failed to
check for errors reported by the underlying system library calls;
the main case that might be missed is out-of-memory situations.
In the worst case this might lead to information exposure, due to our
code assuming that a buffer had been overwritten when it hadn't been.
Also, there were a few places in which security-relevant calls of other
system library functions did not check for failure.
It remains possible that some calls of the *printf()>
family of functions are vulnerable to information disclosure if an
out-of-memory error occurs at just the wrong time. We judge the risk
to not be large, but will continue analysis in this area.
(CVE-2015-3166)
In contrib/pgcrypto>, uniformly report decryption failures
as Wrong key or corrupt data> (Noah Misch)
Previously, some cases of decryption with an incorrect key could report
other error message texts. It has been shown that such variance in
error reports can aid attackers in recovering keys from other systems.
While it's unknown whether pgcrypto>'s specific behaviors
are likewise exploitable, it seems better to avoid the risk by using a
one-size-fits-all message.
(CVE-2015-3167)
Fix incorrect checking of deferred exclusion constraints after a HOT
update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint
is HOT-updated (that is, no indexed columns change and the row can be
stored back onto the same table page) later in the same transaction,
the exclusion constraint would be reported as violated when the check
finally occurred, even if the row(s) the new row originally conflicted
with had been deleted.
Prevent improper reordering of antijoins (NOT EXISTS joins) versus
other outer joins (Tom Lane)
This oversight in the planner has been observed to cause could
not find RelOptInfo for given relids> errors, but it seems possible
that sometimes an incorrect query plan might get past that consistency
check and result in silently-wrong query output.
Fix incorrect matching of subexpressions in outer-join plan nodes
(Tom Lane)
Previously, if textually identical non-strict subexpressions were used
both above and below an outer join, the planner might try to re-use
the value computed below the join, which would be incorrect because the
executor would force the value to NULL in case of an unmatched outer row.
Fix GEQO planner to cope with failure of its join order heuristic
(Tom Lane)
This oversight has been seen to lead to failed to join all
relations together> errors in queries involving LATERAL>,
and that might happen in other cases as well.
Fix possible deadlock at startup
when max_prepared_transactions> is too small
(Heikki Linnakangas)
Don't archive useless preallocated WAL files after a timeline switch
(Heikki Linnakangas)
Avoid cannot GetMultiXactIdMembers() during recovery> error
(Álvaro Herrera)
Recursively fsync()> the data directory after a crash
(Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The
second crash would have to be a system-level crash, not just a database
crash, for there to be a problem.)
Fix autovacuum launcher's possible failure to shut down, if an error
occurs after it receives SIGTERM (Álvaro Herrera)
Cope with unexpected signals in LockBufferForCleanup()>
(Andres Freund)
This oversight could result in spurious errors about multiple
backends attempting to wait for pincount 1>.
Avoid waiting for WAL flush or synchronous replication during commit of
a transaction that was read-only so far as the user is concerned
(Andres Freund)
Previously, a delay could occur at commit in transactions that had
written WAL due to HOT page pruning, leading to undesirable effects
such as sessions getting stuck at startup if all synchronous replicas
are down. Sessions have also been observed to get stuck in catchup
interrupt processing when using synchronous replication; this will fix
that problem as well.
Fix crash when manipulating hash indexes on temporary tables
(Heikki Linnakangas)
Fix possible failure during hash index bucket split, if other processes
are modifying the index concurrently (Tom Lane)
Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE> executes index expressions many times; if there are
slow functions in such an expression, it's desirable to be able to
cancel the ANALYZE> before that loop finishes.
Add the name of the target server to object description strings for
foreign-server user mappings (Álvaro Herrera)
Recommend setting include_realm> to 1 when using
Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be
distinguished. For the moment this is only a documentation change, but
it will become the default setting in PostgreSQL> 9.5.
Remove code for matching IPv4 pg_hba.conf> entries to
IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux
kernels of the time would report IPv4 connections as having
IPv4-in-IPv6 addresses. However, the logic was accidentally broken in
9.0. The lack of any field complaints since then shows that it's not
needed anymore. Now we have reports that the broken code causes
crashes on some systems, so let's just remove it rather than fix it.
(Had we chosen to fix it, that would make for a subtle and potentially
security-sensitive change in the effective meaning of
IPv4 pg_hba.conf> entries, which does not seem like a good
thing to do in minor releases.)
While shutting down service on Windows, periodically send status
updates to the Service Control Manager to prevent it from killing the
service too soon; and ensure that pg_ctl> will wait for
shutdown (Krystian Bigaj)
Reduce risk of network deadlock when using libpq>'s
non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the input
buffer every so often, in case the server has sent enough response data
to cause it to block on output. (A typical scenario is that the server
is sending a stream of NOTICE messages during COPY FROM
STDIN>.) This worked properly in the normal blocking mode, but not
so much in non-blocking mode. We've modified libpq>
to opportunistically drain input when it can, but a full defense
against this problem requires application cooperation: the application
should watch for socket read-ready as well as write-ready conditions,
and be sure to call PQconsumeInput()> upon read-ready.
Fix array handling in ecpg> (Michael Meskes)
Fix psql> to sanely handle URIs and conninfo strings as
the first parameter to \connect>
(David Fetter, Andrew Dunstan, Álvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but
previously some parameters might be taken from the old connection
instead of the given string, which was agreed to be undesirable.
Suppress incorrect complaints from psql> on some
platforms that it failed to write ~/.psql_history> at exit
(Tom Lane)
This misbehavior was caused by a workaround for a bug in very old
(pre-2006) versions of libedit>. We fixed it by
removing the workaround, which will cause a similar failure to appear
for anyone still using such versions of libedit>.
Recommendation: upgrade that library, or use libreadline>.
Fix pg_dump>'s rule for deciding which casts are
system-provided casts that should not be dumped (Tom Lane)
Fix dumping of views that are just VALUES(...)> but have
column aliases (Tom Lane)
In pg_upgrade>, force timeline 1 in the new cluster
(Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about
missing WAL history files.
In pg_upgrade>, check for improperly non-connectable
databases before proceeding
(Bruce Momjian)
In pg_upgrade>, quote directory paths
properly in the generated delete_old_cluster> script
(Bruce Momjian)
In pg_upgrade>, preserve database-level freezing info
properly
(Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within
the postgres> and template1> databases.
Run pg_upgrade> and pg_resetxlog> with
restricted privileges on Windows, so that they don't fail when run by
an administrator (Muhammad Asif Naeem)
Fix slow sorting algorithm in contrib/intarray> (Tom Lane)
Fix compile failure on Sparc V8 machines (Rob Rowan)
Update time zone data files to tzdata> release 2015d
for DST law changes in Egypt, Mongolia, and Palestine, plus historical
changes in Canada and Chile. Also adopt revised zone abbreviations for
the America/Adak zone (HST/HDT not HAST/HADT).
Release 9.0.19Release Date2015-02-05
This release contains a variety of fixes from 9.0.18.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.19
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18,
see .
Changes
Fix buffer overruns in to_char()>
(Bruce Momjian)
When to_char()> processes a numeric formatting template
calling for a large number of digits, PostgreSQL>
would read past the end of a buffer. When processing a crafted
timestamp formatting template, PostgreSQL> would write
past the end of a buffer. Either case could crash the server.
We have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
(CVE-2015-0241)
Fix buffer overrun in replacement *printf()> functions
(Tom Lane)
PostgreSQL> includes a replacement implementation
of printf> and related functions. This code will overrun
a stack buffer when formatting a floating point number (conversion
specifiers e>, E>, f>, F>,
g> or G>) with requested precision greater than
about 500. This will crash the server, and we have not ruled out the
possibility of attacks that lead to privilege escalation.
A database user can trigger such a buffer overrun through
the to_char()> SQL function. While that is the only
affected core PostgreSQL> functionality, extension
modules that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL> on Windows.
PostgreSQL> uses the system implementation of these
functions where adequate, which it is on other modern platforms.
(CVE-2015-0242)
Fix buffer overruns in contrib/pgcrypto>
(Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto>
module permitted stack buffer overruns and improper dependence on the
contents of uninitialized memory. The buffer overrun cases can
crash the server, and we have not ruled out the possibility of
attacks that lead to privilege escalation.
(CVE-2015-0243)
Fix possible loss of frontend/backend protocol synchronization after
an error
(Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a
protocol message from the client, it could lose synchronization and
incorrectly try to interpret part of the message's data as a new
protocol message. An attacker able to submit crafted binary data
within a command parameter might succeed in injecting his own SQL
commands this way. Statement timeout and query cancellation are the
most likely sources of errors triggering this scenario. Particularly
vulnerable are applications that use a timeout and also submit
arbitrary user-crafted data as binary query parameters. Disabling
statement timeout will reduce, but not eliminate, the risk of
exploit. Our thanks to Emil Lenngren for reporting this issue.
(CVE-2015-0244)
Fix information leak via constraint-violation error messages
(Stephen Frost)
Some server error messages show the values of columns that violate
a constraint, such as a unique constraint. If the user does not have
SELECT> privilege on all columns of the table, this could
mean exposing values that the user should not be able to see. Adjust
the code so that values are displayed only when they came from the SQL
command or could be selected by the user.
(CVE-2014-8161)
Lock down regression testing's temporary installations on Windows
(Noah Misch)
Use SSPI authentication to allow connections only from the OS user
who launched the test suite. This closes on Windows the same
vulnerability previously closed on other platforms, namely that other
users might be able to connect to the test postmaster.
(CVE-2014-0067)
Avoid possible data corruption if ALTER DATABASE SET
TABLESPACE> is used to move a database to a new tablespace and then
shortly later move it back to its original tablespace (Tom Lane)
Avoid corrupting tables when ANALYZE> inside a transaction
is rolled back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the last index, rule, or
trigger from the table, the table would be left in a corrupted state
with the relevant pg_class> flags not set though they
should be.
Fix use-of-already-freed-memory problem in EvalPlanQual processing
(Tom Lane)
In READ COMMITTED> mode, queries that lock or update
recently-updated rows could crash as a result of this bug.
Fix planning of SELECT FOR UPDATE> when using a partial
index on a child table (Kyotaro Horiguchi)
In READ COMMITTED> mode, SELECT FOR UPDATE> must
also recheck the partial index's WHERE> condition when
rechecking a recently-updated row to see if it still satisfies the
query's WHERE> condition. This requirement was missed if the
index belonged to an inheritance child table, so that it was possible
to incorrectly return rows that no longer satisfy the query condition.
Fix corner case wherein SELECT FOR UPDATE> could return a row
twice, and possibly miss returning other rows (Tom Lane)
In READ COMMITTED> mode, a SELECT FOR UPDATE>
that is scanning an inheritance tree could incorrectly return a row
from a prior child table instead of the one it should return from a
later child table.
Reject duplicate column names in the referenced-columns list of
a FOREIGN KEY> declaration (David Rowley)
This restriction is per SQL standard. Previously we did not reject
the case explicitly, but later on the code would fail with
bizarre-looking errors.
Fix bugs in raising a numeric> value to a large integral power
(Tom Lane)
The previous code could get a wrong answer, or consume excessive
amounts of time and memory before realizing that the answer must
overflow.
In numeric_recv()>, truncate away any fractional digits
that would be hidden according to the value's dscale> field
(Tom Lane)
A numeric> value's display scale (dscale>) should
never be less than the number of nonzero fractional digits; but
apparently there's at least one broken client application that
transmits binary numeric> values in which that's true.
This leads to strange behavior since the extra digits are taken into
account by arithmetic operations even though they aren't printed.
The least risky fix seems to be to truncate away such hidden>
digits on receipt, so that the value is indeed what it prints as.
Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one
week) would be accepted, but could then cause null-pointer dereference
crashes in certain operations. There's no use-case for such large UTC
offsets, so reject them.
Fix bugs in tsquery> @>> tsquery>
operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same
CRC. Also, if the second operand had more terms than the first, it
would be assumed not to be contained in the first; which is wrong
since it might contain duplicate terms.
Improve ispell dictionary's defenses against bad affix files (Tom Lane)
Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was
deemed a back-patchable bug fix rather than a feature addition.
Fix namespace handling in xpath()> (Ali Akbar)
Previously, the xml> value resulting from
an xpath()> call would not have namespace declarations if
the namespace declarations were attached to an ancestor element in the
input xml> value, rather than to the specific element being
returned. Propagate the ancestral declaration so that the result is
correct when considered in isolation.
Fix planner problems with nested append relations, such as inherited
tables within UNION ALL> subqueries (Tom Lane)
Fail cleanly when a GiST index tuple doesn't fit on a page, rather
than going into infinite recursion (Andrew Gierth)
Exempt tables that have per-table cost_limit>
and/or cost_delay> settings from autovacuum's global cost
balancing rules (Álvaro Herrera)
The previous behavior resulted in basically ignoring these per-table
settings, which was unintended. Now, a table having such settings
will be vacuumed using those settings, independently of what is going
on in other autovacuum workers. This may result in heavier total I/O
load than before, so such settings should be re-examined for sanity.
Avoid wholesale autovacuuming when autovacuum is nominally off
(Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum
worker processes to vacuum tables that are at risk of XID wraparound.
However, such a worker process then proceeded to vacuum all tables in
the target database, if they met the usual thresholds for
autovacuuming. This is at best pretty unexpected; at worst it delays
response to the wraparound threat. Fix it so that if autovacuum is
turned off, workers only> do anti-wraparound vacuums and
not any other work.
Fix race condition between hot standby queries and replaying a
full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being
executed in hot standby.
Fix several cases where recovery logic improperly ignored WAL records
for COMMIT/ABORT PREPARED> (Heikki Linnakangas)
The most notable oversight was
that recovery_target_xid> could not be used to stop at
a two-phase commit.
Avoid creating unnecessary .ready> marker files for
timeline history files (Fujii Masao)
Fix possible null pointer dereference when an empty prepared statement
is used and the log_statement> setting is mod>
or ddl> (Fujii Masao)
Change pgstat wait timeout> warning message to be LOG level,
and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen
case, but it occurs often enough on our slower buildfarm members to be
a nuisance. Reduce it to LOG level, and expend a bit more effort on
the wording: it now reads using stale statistics instead of
current ones because stats collector is not responding>.
Fix SPARC spinlock implementation to ensure correctness if the CPU is
being run in a non-TSO coherency mode, as some non-Solaris kernels do
(Andres Freund)
Warn if macOS's setlocale()> starts an unwanted extra
thread inside the postmaster (Noah Misch)
Fix processing of repeated dbname> parameters
in PQconnectdbParams()> (Alex Shulgin)
Unexpected behavior ensued if the first occurrence
of dbname> contained a connection string or URI to be
expanded.
Ensure that libpq> reports a suitable error message on
unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq> might return an
empty error string rather than something useful when the server
unexpectedly closed the socket.
Clear any old error message during PQreset()>
(Heikki Linnakangas)
If PQreset()> is called repeatedly, and the connection
cannot be re-established, error messages from the failed connection
attempts kept accumulating in the PGconn>'s error
string.
Properly handle out-of-memory conditions while parsing connection
options in libpq> (Alex Shulgin, Heikki Linnakangas)
Fix array overrun in ecpg>'s version
of ParseDateTime()> (Michael Paquier)
In initdb>, give a clearer error message if a password
file is specified but is empty (Mats Erik Andersson)
Fix psql>'s \s> command to work nicely with
libedit, and add pager support (Stepan Rutz, Tom Lane)
When using libedit rather than readline, \s> printed the
command history in a fairly unreadable encoded format, and on recent
libedit versions might fail altogether. Fix that by printing the
history ourselves rather than having the library do it. A pleasant
side-effect is that the pager is used if appropriate.
This patch also fixes a bug that caused newline encoding to be applied
inconsistently when saving the command history with libedit.
Multiline history entries written by older psql>
versions will be read cleanly with this patch, but perhaps not
vice versa, depending on the exact libedit versions involved.
Improve consistency of parsing of psql>'s special
variables (Tom Lane)
Allow variant spellings of on> and off> (such
as 1>/0>) for ECHO_HIDDEN>
and ON_ERROR_ROLLBACK>. Report a warning for unrecognized
values for COMP_KEYWORD_CASE>, ECHO>,
ECHO_HIDDEN>, HISTCONTROL>,
ON_ERROR_ROLLBACK>, and VERBOSITY>. Recognize
all values for all these variables case-insensitively; previously
there was a mishmash of case-sensitive and case-insensitive behaviors.
Fix psql>'s expanded-mode display to work
consistently when using border> = 3
and linestyle> = ascii> or unicode>
(Stephen Frost)
Fix possible deadlock during parallel restore of a schema-only dump
(Robert Haas, Tom Lane)
Fix core dump in pg_dump --binary-upgrade> on zero-column
composite type (Rushabh Lathia)
Fix block number checking
in contrib/pageinspect>'s get_raw_page()>
(Tom Lane)
The incorrect checking logic could prevent access to some pages in
non-main relation forks.
Fix contrib/pgcrypto>'s pgp_sym_decrypt()>
to not fail on messages whose length is 6 less than a power of 2
(Marko Tiikkaja)
Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc>'s connectby()>
(Michael Paquier)
connectby()> previously crashed if it encountered a NULL
key value. It now prints that row but doesn't recurse further.
Avoid a possible crash in contrib/xml2>'s
xslt_process()> (Mark Simonetti)
libxslt> seems to have an undocumented dependency on
the order in which resources are freed; reorder our calls to avoid a
crash.
Numerous cleanups of warnings from Coverity static code analyzer
(Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case
bugs, for example a crash rather than a proper error report after an
out-of-memory failure. None are believed to represent security
issues.
Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31,
inclusive, PostgreSQL> backends can crash at exit.
Raise a warning during configure> based on the
compile-time OpenLDAP version number, and test the crashing scenario
in the contrib/dblink> regression test.
In non-MSVC Windows builds, ensure libpq.dll> is installed
with execute permissions (Noah Misch)
Make pg_regress> remove any temporary installation it
created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage
during make check-world>, since that sequence involves
creation of numerous temporary installations.
Support time zone abbreviations that change UTC offset from time to
time (Tom Lane)
Previously, PostgreSQL> assumed that the UTC offset
associated with a time zone abbreviation (such as EST>)
never changes in the usage of any particular locale. However this
assumption fails in the real world, so introduce the ability for a
zone abbreviation to represent a UTC offset that sometimes changes.
Update the zone abbreviation definition files to make use of this
feature in timezone locales that have changed the UTC offset of their
abbreviations since 1970 (according to the IANA timezone database).
In such timezones, PostgreSQL> will now associate the
correct UTC offset with the abbreviation depending on the given date.
Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists.
Remove references to ADT as Arabia Daylight Time>, an
abbreviation that's been out of use since 2007; therefore, claiming
there is a conflict with Atlantic Daylight Time> doesn't seem
especially helpful.
Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST
(Fiji); we didn't even have them on the proper side of the date line.
Update time zone data files to tzdata> release 2015a.
The IANA timezone database has adopted abbreviations of the form
Ax>ST/Ax>DT
for all Australian time zones, reflecting what they believe to be
current majority practice Down Under. These names do not conflict
with usage elsewhere (other than ACST for Acre Summer Time, which has
been in disuse since 1994). Accordingly, adopt these names into
our Default> timezone abbreviation set.
The Australia> abbreviation set now contains only CST, EAST,
EST, SAST, SAT, and WST, all of which are thought to be mostly
historical usage. Note that SAST has also been changed to be South
Africa Standard Time in the Default> abbreviation set.
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT
(Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were
DST law changes in Chile, Mexico, the Turks & Caicos Islands
(America/Grand_Turk), and Fiji. There is a new zone
Pacific/Bougainville for portions of Papua New Guinea. Also, numerous
corrections for historical (pre-1970) time zone data.
Release 9.0.18Release Date2014-07-24
This release contains a variety of fixes from 9.0.17.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.18
A dump/restore is not required for those running 9.0.X.
However, this release corrects an index corruption problem in some GiST
indexes. See the first changelog entry below to find out whether your
installation has been affected and what steps you should take if so.
Also, if you are upgrading from a version earlier than 9.0.15,
see .
Changes
Correctly initialize padding bytes in contrib/btree_gist>
indexes on bit> columns (Heikki Linnakangas)
This error could result in incorrect query results due to values that
should compare equal not being seen as equal.
Users with GiST indexes on bit> or bit varying>
columns should REINDEX> those indexes after installing this
update.
Protect against torn pages when deleting GIN list pages (Heikki
Linnakangas)
This fix prevents possible index corruption if a system crash occurs
while the page update is being written to disk.
Don't clear the right-link of a GiST index page while replaying
updates from WAL (Heikki Linnakangas)
This error could lead to transiently wrong answers from GiST index
scans performed in Hot Standby.
Fix possibly-incorrect cache invalidation during nested calls
to ReceiveSharedInvalidMessages> (Andres Freund)
Don't assume a subquery's output is unique if there's a set-returning
function in its targetlist (David Rowley)
This oversight could lead to misoptimization of constructs
like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP
BY y).
Fix failure to detoast fields in composite elements of structured
types (Tom Lane)
This corrects cases where TOAST pointers could be copied into other
tables without being dereferenced. If the original data is later
deleted, it would lead to errors like missing chunk number 0
for toast value ...> when the now-dangling pointer is used.
Fix record type has not been registered> failures with
whole-row references to the output of Append plan nodes (Tom Lane)
Fix possible crash when invoking a user-defined function while
rewinding a cursor (Tom Lane)
Fix query-lifespan memory leak while evaluating the arguments for a
function in FROM> (Tom Lane)
Fix session-lifespan memory leaks in regular-expression processing
(Tom Lane, Arthur O'Dwyer, Greg Stark)
Fix data encoding error in hungarian.stop> (Tom Lane)
Fix liveness checks for rows that were inserted in the current
transaction and then deleted by a now-rolled-back subtransaction
(Andres Freund)
This could cause problems (at least spurious warnings, and at worst an
infinite loop) if CREATE INDEX> or CLUSTER> were
done later in the same transaction.
Clear pg_stat_activity>.xact_start>
during PREPARE TRANSACTION> (Andres Freund)
After the PREPARE>, the originating session is no longer in
a transaction, so it should not continue to display a transaction
start time.
Fix REASSIGN OWNED> to not fail for text search objects
(Álvaro Herrera)
Block signals during postmaster startup (Tom Lane)
This ensures that the postmaster will properly clean up after itself
if, for example, it receives SIGINT> while still
starting up.
Secure Unix-domain sockets of temporary postmasters started during
make check> (Noah Misch)
Any local user able to access the socket file could connect as the
server's bootstrap superuser, then proceed to execute arbitrary code as
the operating-system user running the test, as we previously noted in
CVE-2014-0067. This change defends against that risk by placing the
server's socket in a temporary, mode 0700 subdirectory
of /tmp>. The hazard remains however on platforms where
Unix sockets are not supported, notably Windows, because then the
temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify
make check> testing in builds that
override DEFAULT_PGSOCKET_DIR>. Popular non-default values
like /var/run/postgresql> are often not writable by the
build user, requiring workarounds that will no longer be necessary.
Fix tablespace creation WAL replay to work on Windows (MauMau)
Fix detection of socket creation failures on Windows (Bruce Momjian)
On Windows, allow new sessions to absorb values of PGC_BACKEND
parameters (such as ) from the
configuration file (Amit Kapila)
Previously, if such a parameter were changed in the file post-startup,
the change would have no effect.
Properly quote executable path names on Windows (Nikhil Deshpande)
This oversight could cause initdb>
and pg_upgrade> to fail on Windows, if the installation
path contained both spaces and @> signs.
Fix linking of libpython> on macOS (Tom Lane)
The method we previously used can fail with the Python library
supplied by Xcode 5.0 and later.
Avoid buffer bloat in libpq> when the server
consistently sends data faster than the client can absorb it
(Shin-ichi Morita, Tom Lane)
libpq> could be coerced into enlarging its input buffer
until it runs out of memory (which would be reported misleadingly
as lost synchronization with server>). Under ordinary
circumstances it's quite far-fetched that data could be continuously
transmitted more quickly than the recv()> loop can
absorb it, but this has been observed when the client is artificially
slowed by scheduler constraints.
Ensure that LDAP lookup attempts in libpq> time out as
intended (Laurenz Albe)
Fix ecpg> to do the right thing when an array
of char *> is the target for a FETCH statement returning more
than one row, as well as some other array-handling fixes
(Ashutosh Bapat)
Fix pg_restore>'s processing of old-style large object
comments (Tom Lane)
A direct-to-database restore from an archive file generated by a
pre-9.0 version of pg_dump> would usually fail if the
archive contained more than a few comments for large objects.
In contrib/pgcrypto> functions, ensure sensitive
information is cleared from stack variables before returning
(Marko Kreen)
In contrib/uuid-ossp>, cache the state of the OSSP UUID
library across calls (Tom Lane)
This improves the efficiency of UUID generation and reduces the amount
of entropy drawn from /dev/urandom>, on platforms that
have that.
Update time zone data files to tzdata> release 2014e
for DST law changes in Crimea, Egypt, and Morocco.
Release 9.0.17Release Date2014-03-20
This release contains a variety of fixes from 9.0.16.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.17
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.15,
see .
Changes
Restore GIN metapages unconditionally to avoid torn-page risk
(Heikki Linnakangas)
Although this oversight could theoretically result in a corrupted
index, it is unlikely to have caused any problems in practice, since
the active part of a GIN metapage is smaller than a standard 512-byte
disk sector.
Avoid race condition in checking transaction commit status during
receipt of a NOTIFY> message (Marko Tiikkaja)
This prevents a scenario wherein a sufficiently fast client might
respond to a notification before database updates made by the
notifier have become visible to the recipient.
Allow regular-expression operators to be terminated early by query
cancel requests (Tom Lane)
This prevents scenarios wherein a pathological regular expression
could lock up a server process uninterruptably for a long time.
Remove incorrect code that tried to allow OVERLAPS> with
single-element row arguments (Joshua Yanovski)
This code never worked correctly, and since the case is neither
specified by the SQL standard nor documented, it seemed better to
remove it than fix it.
Avoid getting more than AccessShareLock> when de-parsing a
rule or view (Dean Rasheed)
This oversight resulted in pg_dump> unexpectedly
acquiring RowExclusiveLock> locks on tables mentioned as
the targets of INSERT>/UPDATE>/DELETE>
commands in rules. While usually harmless, that could interfere with
concurrent transactions that tried to acquire, for example,
ShareLock> on those tables.
Improve performance of index endpoint probes during planning (Tom Lane)
This change fixes a significant performance problem that occurred
when there were many not-yet-committed rows at the end of the index,
which is a common situation for indexes on sequentially-assigned
values such as timestamps or sequence-generated identifiers.
Fix test to see if hot standby connections can be allowed immediately
after a crash (Heikki Linnakangas)
Prevent interrupts while reporting non-ERROR> messages
(Tom Lane)
This guards against rare server-process freezeups due to recursive
entry to syslog()>, and perhaps other related problems.
Prevent intermittent could not reserve shared memory region>
failures on recent Windows versions (MauMau)
Update time zone data files to tzdata> release 2014a
for DST law changes in Fiji and Turkey, plus historical changes in
Israel and Ukraine.
Release 9.0.16Release Date2014-02-20
This release contains a variety of fixes from 9.0.15.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.16
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.15,
see .
Changes
Shore up GRANT ... WITH ADMIN OPTION> restrictions
(Noah Misch)
Granting a role without ADMIN OPTION> is supposed to
prevent the grantee from adding or removing members from the granted
role, but this restriction was easily bypassed by doing SET
ROLE> first. The security impact is mostly that a role member can
revoke the access of others, contrary to the wishes of his grantor.
Unapproved role member additions are a lesser concern, since an
uncooperative role member could provide most of his rights to others
anyway by creating views or SECURITY DEFINER> functions.
(CVE-2014-0060)
Prevent privilege escalation via manual calls to PL validator
functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly
during CREATE FUNCTION>, but they are also normal SQL
functions that a user can call explicitly. Calling a validator on
a function actually written in some other language was not checked
for and could be exploited for privilege-escalation purposes.
The fix involves adding a call to a privilege-checking function in
each validator function. Non-core procedural languages will also
need to make this change to their own validator functions, if any.
(CVE-2014-0061)
Avoid multiple name lookups during table and index DDL
(Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent
activity, we might perform some parts of the DDL on a different table
than other parts. At least in the case of CREATE INDEX>,
this can be used to cause the permissions checks to be performed
against a different table than the index creation, allowing for a
privilege escalation attack.
(CVE-2014-0062)
Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN> constant was too small for the longest
possible value of type interval>, allowing a buffer overrun
in interval_out()>. Although the datetime input
functions were more careful about avoiding buffer overrun, the limit
was short enough to cause them to reject some valid inputs, such as
input containing a very long timezone name. The ecpg>
library contained these vulnerabilities along with some of its own.
(CVE-2014-0063)
Prevent buffer overrun due to integer overflow in size calculations
(Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an
allocation size without checking for overflow. If overflow did
occur, a too-small buffer would be allocated and then written past.
(CVE-2014-0064)
Prevent overruns of fixed-size buffers
(Peter Eisentraut, Jozef Mlich)
Use strlcpy()> and related functions to provide a clear
guarantee that fixed-size buffers are not overrun. Unlike the
preceding items, it is unclear whether these cases really represent
live issues, since in most cases there appear to be previous
constraints on the size of the input string. Nonetheless it seems
prudent to silence all Coverity warnings of this type.
(CVE-2014-0065)
Avoid crashing if crypt()> returns NULL (Honza Horak,
Bruce Momjian)
There are relatively few scenarios in which crypt()>
could return NULL, but contrib/chkpass> would crash
if it did. One practical case in which this could be an issue is
if libc> is configured to refuse to execute unapproved
hashing algorithms (e.g., FIPS mode>).
(CVE-2014-0066)
Document risks of make check> in the regression testing
instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check>
uses trust> authentication, another user on the same machine
could connect to it as database superuser, and then potentially
exploit the privileges of the operating-system user who started the
tests. A future release will probably incorporate changes in the
testing procedure to prevent this risk, but some public discussion is
needed first. So for the moment, just warn people against using
make check> when there are untrusted users on the
same machine.
(CVE-2014-0067)
Fix possible mis-replay of WAL records when some segments of a
relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many
pages past where it should have been. Aside from corrupting data,
this error has been observed to result in significant bloat>
of standby servers compared to their masters, due to updates being
applied far beyond where the end-of-file should have been. This
failure mode does not appear to be a significant risk during crash
recovery, only when initially synchronizing a standby created from a
base backup taken from a quickly-changing master.
Fix bug in determining when recovery has reached consistency
(Tomonari Katsumata, Heikki Linnakangas)
In some cases WAL replay would mistakenly conclude that the database
was already consistent at the start of replay, thus possibly allowing
hot-standby queries before the database was really consistent. Other
symptoms such as PANIC: WAL contains references to invalid
pages> were also possible.
Fix improper locking of btree index pages while replaying
a VACUUM> operation in hot-standby mode (Andres Freund,
Heikki Linnakangas, Tom Lane)
This error could result in PANIC: WAL contains references to
invalid pages> failures.
Ensure that insertions into non-leaf GIN index pages write a full-page
WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a
partial-page write during a system crash.
Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the
process's MyProc> pointer after it's no longer valid.
Fix unsafe references to errno> within error reporting
logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or
inappropriate HINT> fields.
Fix possible crashes from using ereport()> too early
during server startup (Tom Lane)
The principal case we've seen in the field is a crash if the server
is started in a directory it doesn't have permission to read.
Clear retry flags properly in OpenSSL socket write
function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss
of an SSL-encrypted connection.
Fix length checking for Unicode identifiers (U&"...">
syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers
if the escaped form of the identifier was too long, but the
identifier actually didn't need truncation after de-escaping.
Allow keywords that are type names to be used in lists of roles
(Stephen Frost)
A previous patch allowed such keywords to be used without quoting
in places such as role identifiers; but it missed cases where a
list of role identifiers was permitted, such as DROP ROLE>.
Fix possible crash due to invalid plan for nested sub-selects, such
as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...)>
(Tom Lane)
Ensure that ANALYZE> creates statistics for a table column
even when all the values in it are too wide> (Tom Lane)
ANALYZE> intentionally omits very wide values from its
histogram and most-common-values calculations, but it neglected to do
something sane in the case that all the sampled entries are too wide.
In ALTER TABLE ... SET TABLESPACE>, allow the database's
default tablespace to be used without a permissions check
(Stephen Frost)
CREATE TABLE> has always allowed such usage,
but ALTER TABLE> didn't get the memo.
Fix cannot accept a set> error when some arms of
a CASE> return a set and others don't (Tom Lane)
Fix checks for all-zero client addresses in pgstat functions (Kevin
Grittner)
Fix possible misclassification of multibyte characters by the text
search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with
a multibyte encoding. On Cygwin, non-C locales could fail as well.
Fix possible misbehavior in plainto_tsquery()>
(Heikki Linnakangas)
Use memmove()> not memcpy()> for copying
overlapping memory regions. There have been no field reports of
this actually causing trouble, but it's certainly risky.
Accept SHIFT_JIS> as an encoding name for locale checking
purposes (Tatsuo Ishii)
Fix misbehavior of PQhost()> on Windows (Fujii Masao)
It should return localhost> if no host has been specified.
Improve error handling in libpq> and psql>
for failures during COPY TO STDOUT/FROM STDIN> (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and
up if the server connection was lost during COPY FROM
STDIN>. Variants of that scenario might be possible in older
versions, or with other client applications.
Fix misaligned descriptors in ecpg> (MauMau)
In ecpg>, handle lack of a hostname in the connection
parameters properly (Michael Meskes)
Fix performance regression in contrib/dblink> connection
startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
In contrib/isn>, fix incorrect calculation of the check
digit for ISMN values (Fabien Coelho)
Ensure client-code-only installation procedure works as documented
(Peter Eisentraut)
In Mingw and Cygwin builds, install the libpq> DLL
in the bin> directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix
problems with programs like psql> failing to start
because they can't find the DLL.
Avoid using the deprecated dllwrap> tool in Cygwin builds
(Marco Atzeri)
Don't generate plain-text HISTORY>
and src/test/regress/README> files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation
formats. The trouble involved in maintaining them greatly outweighs
the likely audience for plain-text format. Distribution tarballs
will still contain files by these names, but they'll just be stubs
directing the reader to consult the main documentation.
The plain-text INSTALL> file will still be maintained, as
there is arguably a use-case for that.
Update time zone data files to tzdata> release 2013i
for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87>,
Asia/Riyadh88>, and Asia/Riyadh89> have been
removed, as they are no longer maintained by IANA, and never
represented actual civil timekeeping practice.
Release 9.0.15Release Date2013-12-05
This release contains a variety of fixes from 9.0.14.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.15
A dump/restore is not required for those running 9.0.X.
However, this release corrects a number of potential data corruption
issues. See the first two changelog entries below to find out whether
your installation has been affected and what steps you can take if so.
Also, if you are upgrading from a version earlier than 9.0.13,
see .
Changes
Fix VACUUM>'s tests to see whether it can
update relfrozenxid> (Andres Freund)
In some cases VACUUM> (either manual or autovacuum) could
incorrectly advance a table's relfrozenxid> value,
allowing tuples to escape freezing, causing those rows to become
invisible once 2^31 transactions have elapsed. The probability of
data loss is fairly low since multiple incorrect advancements would
need to happen before actual loss occurs, but it's not zero. Users
upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but
all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables
in all databases while having vacuum_freeze_table_age>
set to zero. This will fix any latent corruption but will not be able
to fix all pre-existing data errors. However, an installation can be
presumed safe after performing this vacuuming if it has executed fewer
than 2^31 update transactions in its lifetime (check this with
SELECT txid_current() < 2^31>).
Fix initialization of pg_clog> and pg_subtrans>
during hot standby startup (Andres Freund, Heikki Linnakangas)
This bug can cause data loss on standby servers at the moment they
start to accept hot-standby queries, by marking committed transactions
as uncommitted. The likelihood of such corruption is small unless, at
the time of standby startup, the primary server has executed many
updating transactions since its last checkpoint. Symptoms include
missing rows, rows that should have been deleted being still visible,
and obsolete versions of updated rows being still visible alongside
their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14.
Standby servers that have only been running earlier releases are not
at risk. It's recommended that standby servers that have ever run any
of the buggy releases be re-cloned from the primary (e.g., with a new
base backup) after upgrading.
Truncate pg_multixact> contents during WAL replay
(Andres Freund)
This avoids ever-increasing disk space consumption in standby servers.
Fix race condition in GIN index posting tree page deletion (Heikki
Linnakangas)
This could lead to transient wrong answers or query failures.
Avoid flattening a subquery whose SELECT> list contains a
volatile function wrapped inside a sub-SELECT> (Tom Lane)
This avoids unexpected results due to extra evaluations of the
volatile function.
Fix planner's processing of non-simple-variable subquery outputs
nested within outer joins (Tom Lane)
This error could lead to incorrect plans for queries involving
multiple levels of subqueries within JOIN> syntax.
Fix premature deletion of temporary files (Andres Freund)
Fix possible read past end of memory in rule printing (Peter Eisentraut)
Fix array slicing of int2vector> and oidvector> values
(Tom Lane)
Expressions of this kind are now implicitly promoted to
regular int2> or oid> arrays.
Fix incorrect behaviors when using a SQL-standard, simple GMT offset
timezone (Tom Lane)
In some cases, the system would use the simple GMT offset value when
it should have used the regular timezone setting that had prevailed
before the simple offset was selected. This change also causes
the timeofday> function to honor the simple GMT offset
zone.
Prevent possible misbehavior when logging translations of Windows
error codes (Tom Lane)
Properly quote generated command lines in pg_ctl>
(Naoya Anzai and Tom Lane)
This fix applies only to Windows.
Fix pg_dumpall> to work when a source database
sets default_transaction_read_only>
via ALTER DATABASE SET> (Kevin Grittner)
Previously, the generated script would fail during restore.
Fix ecpg>'s processing of lists of variables
declared varchar> (Zoltán Böszörményi)
Make contrib/lo> defend against incorrect trigger definitions
(Marc Cousin)
Update time zone data files to tzdata> release 2013h
for DST law changes in Argentina, Brazil, Jordan, Libya,
Liechtenstein, Morocco, and Palestine. Also, new timezone
abbreviations WIB, WIT, WITA for Indonesia.
Release 9.0.14Release Date2013-10-10
This release contains a variety of fixes from 9.0.13.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.14
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.13,
see .
Changes
Prevent corruption of multi-byte characters when attempting to
case-fold identifiers (Andrew Dunstan)
PostgreSQL> case-folds non-ASCII characters only
when using a single-byte server encoding.
Fix checkpoint memory leak in background writer when wal_level =
hot_standby> (Naoya Anzai)
Fix memory leak caused by lo_open() failure
(Heikki Linnakangas)
Fix memory overcommit bug when work_mem> is using more
than 24GB of memory (Stephen Frost)
Fix deadlock bug in libpq when using SSL (Stephen Frost)
Fix possible SSL state corruption in threaded libpq applications
(Nick Phillips, Stephen Frost)
Properly compute row estimates for boolean columns containing many NULL
values (Andrew Gierth)
Previously tests like col IS NOT TRUE> and col IS
NOT FALSE> did not properly factor in NULL values when estimating
plan costs.
Prevent pushing down WHERE> clauses into unsafe
UNION/INTERSECT> subqueries (Tom Lane)
Subqueries of a UNION> or INTERSECT> that
contain set-returning functions or volatile functions in their
SELECT> lists could be improperly optimized, leading to
run-time errors or incorrect query results.
Fix rare case of failed to locate grouping columns>
planner failure (Tom Lane)
Improve view dumping code's handling of dropped columns in referenced
tables (Tom Lane)
Properly record index comments created using UNIQUE>
and PRIMARY KEY> syntax (Andres Freund)
This fixes a parallel pg_restore> failure.
Fix REINDEX TABLE> and REINDEX DATABASE>
to properly revalidate constraints and mark invalidated indexes as
valid (Noah Misch)
REINDEX INDEX> has always worked properly.
Fix possible deadlock during concurrent CREATE INDEX
CONCURRENTLY> operations (Tom Lane)
Fix regexp_matches()> handling of zero-length matches
(Jeevan Chalke)
Previously, zero-length matches like '^' could return too many matches.
Fix crash for overly-complex regular expressions (Heikki Linnakangas)
Fix regular expression match failures for back references combined with
non-greedy quantifiers (Jeevan Chalke)
Prevent CREATE FUNCTION> from checking SET>
variables unless function body checking is enabled (Tom Lane)
Allow ALTER DEFAULT PRIVILEGES> to operate on schemas
without requiring CREATE permission (Tom Lane)
Loosen restriction on keywords used in queries (Tom Lane)
Specifically, lessen keyword restrictions for role names, language
names, EXPLAIN> and COPY> options, and
SET> values. This allows COPY ... (FORMAT
BINARY)> to work as expected; previously BINARY> needed
to be quoted.
Fix pgp_pub_decrypt()> so it works for secret keys with
passwords (Marko Kreen)
Remove rare inaccurate warning during vacuum of index-less tables
(Heikki Linnakangas)
Ensure that VACUUM ANALYZE> still runs the ANALYZE phase
if its attempt to truncate the file is cancelled due to lock conflicts
(Kevin Grittner)
Avoid possible failure when performing transaction control commands (e.g
ROLLBACK) in prepared queries (Tom Lane)
Ensure that floating-point data input accepts standard spellings
of infinity> on all platforms (Tom Lane)
The C99 standard says that allowable spellings are inf>,
+inf>, -inf>, infinity>,
+infinity>, and -infinity>. Make sure we
recognize these even if the platform's strtod> function
doesn't.
Expand ability to compare rows to records and arrays (Rafal Rzepecki,
Tom Lane)
Update time zone data files to tzdata> release 2013d
for DST law changes in Israel, Morocco, Palestine, and Paraguay.
Also, historical zone data corrections for Macquarie Island.
Release 9.0.13Release Date2013-04-04
This release contains a variety of fixes from 9.0.12.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.13
A dump/restore is not required for those running 9.0.X.
However, this release corrects several errors in management of GiST
indexes. After installing this update, it is advisable to
REINDEX> any GiST indexes that meet one or more of the
conditions described below.
Also, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Fix insecure parsing of server command-line switches (Mitsumasa
Kondo, Kyotaro Horiguchi)
A connection request containing a database name that begins with
-> could be crafted to damage or destroy
files within the server's data directory, even if the request is
eventually rejected. (CVE-2013-1899)
Reset OpenSSL randomness state in each postmaster child process
(Marko Kreen)
This avoids a scenario wherein random numbers generated by
contrib/pgcrypto> functions might be relatively easy for
another database user to guess. The risk is only significant when
the postmaster is configured with ssl> = on>
but most connections don't use SSL encryption. (CVE-2013-1900)
Fix GiST indexes to not use fuzzy> geometric comparisons when
it's not appropriate to do so (Alexander Korotkov)
The core geometric types perform comparisons using fuzzy>
equality, but gist_box_same> must do exact comparisons,
else GiST indexes using it might become inconsistent. After installing
this update, users should REINDEX> any GiST indexes on
box>, polygon>, circle>, or point>
columns, since all of these use gist_box_same>.
Fix erroneous range-union and penalty logic in GiST indexes that use
contrib/btree_gist> for variable-width data types, that is
text>, bytea>, bit>, and numeric>
columns (Tom Lane)
These errors could result in inconsistent indexes in which some keys
that are present would not be found by searches, and also in useless
index bloat. Users are advised to REINDEX> such indexes
after installing this update.
Fix bugs in GiST page splitting code for multi-column indexes
(Tom Lane)
These errors could result in inconsistent indexes in which some keys
that are present would not be found by searches, and also in indexes
that are unnecessarily inefficient to search. Users are advised to
REINDEX> multi-column GiST indexes after installing this
update.
Fix gist_point_consistent>
to handle fuzziness consistently (Alexander Korotkov)
Index scans on GiST indexes on point> columns would sometimes
yield results different from a sequential scan, because
gist_point_consistent> disagreed with the underlying
operator code about whether to do comparisons exactly or fuzzily.
Fix buffer leak in WAL replay (Heikki Linnakangas)
This bug could result in incorrect local pin count> errors
during replay, making recovery impossible.
Fix race condition in DELETE RETURNING> (Tom Lane)
Under the right circumstances, DELETE RETURNING> could
attempt to fetch data from a shared buffer that the current process
no longer has any pin on. If some other process changed the buffer
meanwhile, this would lead to garbage RETURNING> output, or
even a crash.
Fix infinite-loop risk in regular expression compilation (Tom Lane,
Don Porter)
Fix potential null-pointer dereference in regular expression compilation
(Tom Lane)
Fix to_char()> to use ASCII-only case-folding rules where
appropriate (Tom Lane)
This fixes misbehavior of some template patterns that should be
locale-independent, but mishandled I> and
i> in Turkish locales.
Fix unwanted rejection of timestamp 1999-12-31 24:00:00>
(Tom Lane)
Fix logic error when a single transaction does UNLISTEN>
then LISTEN> (Tom Lane)
The session wound up not listening for notify events at all, though it
surely should listen in this case.
Remove useless picksplit doesn't support secondary split> log
messages (Josh Hansen, Tom Lane)
This message seems to have been added in expectation of code that was
never written, and probably never will be, since GiST's default
handling of secondary splits is actually pretty good. So stop nagging
end users about it.
Fix possible failure to send a session's last few transaction
commit/abort counts to the statistics collector (Tom Lane)
Eliminate memory leaks in PL/Perl's spi_prepare()> function
(Alex Hunsaker, Tom Lane)
Fix pg_dumpall> to handle database names containing
=> correctly (Heikki Linnakangas)
Avoid crash in pg_dump> when an incorrect connection
string is given (Heikki Linnakangas)
Ignore invalid indexes in pg_dump> and
pg_upgrade> (Michael Paquier, Bruce Momjian)
Dumping invalid indexes can cause problems at restore time, for example
if the reason the index creation failed was because it tried to enforce
a uniqueness condition not satisfied by the table's data. Also, if the
index creation is in fact still in progress, it seems reasonable to
consider it to be an uncommitted DDL change, which
pg_dump> wouldn't be expected to dump anyway.
pg_upgrade> now also skips invalid indexes rather than
failing.
Fix contrib/pg_trgm>'s similarity()> function
to return zero for trigram-less strings (Tom Lane)
Previously it returned NaN> due to internal division by zero.
Update time zone data files to tzdata> release 2013b
for DST law changes in Chile, Haiti, Morocco, Paraguay, and some
Russian areas. Also, historical zone data corrections for numerous
places.
Also, update the time zone abbreviation files for recent changes in
Russia and elsewhere: CHOT>, GET>,
IRKT>, KGT>, KRAT>, MAGT>,
MAWT>, MSK>, NOVT>, OMST>,
TKT>, VLAT>, WST>, YAKT>,
YEKT> now follow their current meanings, and
VOLT> (Europe/Volgograd) and MIST>
(Antarctica/Macquarie) are added to the default abbreviations list.
Release 9.0.12Release Date2013-02-07
This release contains a variety of fixes from 9.0.11.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.12
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Prevent execution of enum_recv> from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the
server. In principle an attacker might be able to use it to examine the
contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP)
for reporting this issue. (CVE-2013-0255)
Fix multiple problems in detection of when a consistent database
state has been reached during WAL replay (Fujii Masao, Heikki
Linnakangas, Simon Riggs, Andres Freund)
Update minimum recovery point when truncating a relation file (Heikki
Linnakangas)
Once data has been discarded, it's no longer safe to stop recovery at
an earlier point in the timeline.
Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs)
The need to cancel conflicting hot-standby queries would sometimes be
missed, allowing those queries to see inconsistent data.
Fix SQL grammar to allow subscripting or field selection from a
sub-SELECT result (Tom Lane)
Fix performance problems with autovacuum truncation in busy workloads
(Jan Wieck)
Truncation of empty pages at the end of a table requires exclusive
lock, but autovacuum was coded to fail (and release the table lock)
when there are conflicting lock requests. Under load, it is easily
possible that truncation would never occur, resulting in table bloat.
Fix by performing a partial truncation, releasing the lock, then
attempting to re-acquire the lock and continue. This fix also greatly
reduces the average time before autovacuum releases the lock after a
conflicting request arrives.
Protect against race conditions when scanning
pg_tablespace> (Stephen Frost, Tom Lane)
CREATE DATABASE> and DROP DATABASE> could
misbehave if there were concurrent updates of
pg_tablespace> entries.
Prevent DROP OWNED> from trying to drop whole databases or
tablespaces (Álvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
Fix error in vacuum_freeze_table_age>
implementation (Andres Freund)
In installations that have existed for more than vacuum_freeze_min_age>
transactions, this mistake prevented autovacuum from using partial-table
scans, so that a full-table scan would always happen instead.
Prevent misbehavior when a RowExpr> or XmlExpr>
is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as
CREATE TABLE LIKE INCLUDING INDEXES>.
Improve defenses against integer overflow in hashtable sizing
calculations (Jeff Davis)
Reject out-of-range dates in to_date()> (Hitoshi Harada)
Ensure that non-ASCII prompt strings are translated to the correct
code page on Windows (Alexander Law, Noah Misch)
This bug affected psql> and some other client programs.
Fix possible crash in psql>'s \?> command
when not connected to a database (Meng Qingzhong)
Fix pg_upgrade> to deal with invalid indexes safely
(Bruce Momjian)
Fix one-byte buffer overrun in libpq>'s
PQprintTuples> (Xi Wang)
This ancient function is not used anywhere by
PostgreSQL> itself, but it might still be used by some
client code.
Make ecpglib> use translated messages properly
(Chen Huajun)
Properly install ecpg_compat> and
pgtypes> libraries on MSVC (Jiang Guiqing)
Include our version of isinf()> in
libecpg> if it's not provided by the system
(Jiang Guiqing)
Rearrange configure's tests for supplied functions so it is not
fooled by bogus exports from libedit/libreadline (Christoph Berg)
Ensure Windows build number increases over time (Magnus Hagander)
Make pgxs> build executables with the right
.exe> suffix when cross-compiling for Windows
(Zoltan Boszormenyi)
Add new timezone abbreviation FET> (Tom Lane)
This is now used in some eastern-European time zones.
Release 9.0.11Release Date2012-12-06
This release contains a variety of fixes from 9.0.10.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.11
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Fix multiple bugs associated with CREATE INDEX
CONCURRENTLY> (Andres Freund, Tom Lane)
Fix CREATE INDEX CONCURRENTLY> to use
in-place updates when changing the state of an index's
pg_index> row. This prevents race conditions that could
cause concurrent sessions to miss updating the target index, thus
resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore
invalid indexes resulting from a failed CREATE INDEX
CONCURRENTLY> command. The most important of these is
VACUUM>, because an auto-vacuum could easily be launched
on the table before corrective action can be taken to fix or remove
the invalid index.
Fix buffer locking during WAL replay (Tom Lane)
The WAL replay code was insufficiently careful about locking buffers
when replaying WAL records that affect more than one page. This could
result in hot standby queries transiently seeing inconsistent states,
resulting in wrong answers or unexpected failures.
Fix an error in WAL generation logic for GIN indexes (Tom Lane)
This could result in index corruption, if a torn-page failure occurred.
Properly remove startup process's virtual XID lock when promoting a
hot standby server to normal running (Simon Riggs)
This oversight could prevent subsequent execution of certain
operations such as CREATE INDEX CONCURRENTLY>.
Avoid bogus out-of-sequence timeline ID> errors in standby
mode (Heikki Linnakangas)
Prevent the postmaster from launching new child processes after it's
received a shutdown signal (Tom Lane)
This mistake could result in shutdown taking longer than it should, or
even never completing at all without additional user action.
Avoid corruption of internal hash tables when out of memory
(Hitoshi Harada)
Fix planning of non-strict equivalence clauses above outer joins
(Tom Lane)
The planner could derive incorrect constraints from a clause equating
a non-strict construct to something else, for example
WHERE COALESCE(foo, 0) = 0>
when foo> is coming from the nullable side of an outer join.
Improve planner's ability to prove exclusion constraints from
equivalence classes (Tom Lane)
Fix partial-row matching in hashed subplans to handle cross-type cases
correctly (Tom Lane)
This affects multicolumn NOT IN> subplans, such as
WHERE (a, b) NOT IN (SELECT x, y FROM ...)>
when for instance b> and y> are int4>
and int8> respectively. This mistake led to wrong answers
or crashes depending on the specific datatypes involved.
Acquire buffer lock when re-fetching the old tuple for an
AFTER ROW UPDATE/DELETE> trigger (Andres Freund)
In very unusual circumstances, this oversight could result in passing
incorrect data to the precheck logic for a foreign-key enforcement
trigger. That could result in a crash, or in an incorrect decision
about whether to fire the trigger.
Fix ALTER COLUMN TYPE> to handle inherited check
constraints properly (Pavan Deolasee)
This worked correctly in pre-8.4 releases, and now works correctly
in 8.4 and later.
Fix REASSIGN OWNED> to handle grants on tablespaces
(Álvaro Herrera)
Ignore incorrect pg_attribute> entries for system
columns for views (Tom Lane)
Views do not have any system columns. However, we forgot to
remove such entries when converting a table to a view. That's fixed
properly for 9.3 and later, but in previous branches we need to defend
against existing mis-converted views.
Fix rule printing to dump INSERT INTO table>
DEFAULT VALUES correctly (Tom Lane)
Guard against stack overflow when there are too many
UNION>/INTERSECT>/EXCEPT> clauses
in a query (Tom Lane)
Prevent platform-dependent failures when dividing the minimum possible
integer value by -1 (Xi Wang, Tom Lane)
Fix possible access past end of string in date parsing
(Hitoshi Harada)
Fix failure to advance XID epoch if XID wraparound happens during a
checkpoint and wal_level> is hot_standby>
(Tom Lane, Andres Freund)
While this mistake had no particular impact on
PostgreSQL itself, it was bad for
applications that rely on txid_current()> and related
functions: the TXID value would appear to go backwards.
Produce an understandable error message if the length of the path name
for a Unix-domain socket exceeds the platform-specific limit
(Tom Lane, Andrew Dunstan)
Formerly, this would result in something quite unhelpful, such as
Non-recoverable failure in name resolution>.
Fix memory leaks when sending composite column values to the client
(Tom Lane)
Make pg_ctl> more robust about reading the
postmaster.pid> file (Heikki Linnakangas)
Fix race conditions and possible file descriptor leakage.
Fix possible crash in psql> if incorrectly-encoded data
is presented and the client_encoding> setting is a
client-only encoding, such as SJIS (Jiang Guiqing)
Fix bugs in the restore.sql> script emitted by
pg_dump> in tar> output format (Tom Lane)
The script would fail outright on tables whose names include
upper-case characters. Also, make the script capable of restoring
data in
Fix pg_restore> to accept POSIX-conformant
tar> files (Brian Weaver, Tom Lane)
The original coding of pg_dump>'s tar>
output mode produced files that are not fully conformant with the
POSIX standard. This has been corrected for version 9.3. This
patch updates previous branches so that they will accept both the
incorrect and the corrected formats, in hopes of avoiding
compatibility problems when 9.3 comes out.
Fix pg_resetxlog> to locate postmaster.pid>
correctly when given a relative path to the data directory (Tom Lane)
This mistake could lead to pg_resetxlog> not noticing
that there is an active postmaster using the data directory.
Fix libpq>'s lo_import()> and
lo_export()> functions to report file I/O errors properly
(Tom Lane)
Fix ecpg>'s processing of nested structure pointer
variables (Muhammad Usama)
Fix ecpg>'s ecpg_get_data> function to
handle arrays properly (Michael Meskes)
Make contrib/pageinspect>'s btree page inspection
functions take buffer locks while examining pages (Tom Lane)
Fix pgxs> support for building loadable modules on AIX
(Tom Lane)
Building modules outside the original source tree didn't work on AIX.
Update time zone data files to tzdata> release 2012j
for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western
Samoa, and portions of Brazil.
Release 9.0.10Release Date2012-09-24
This release contains a variety of fixes from 9.0.9.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.10
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Fix planner's assignment of executor parameters, and fix executor's
rescan logic for CTE plan nodes (Tom Lane)
These errors could result in wrong answers from queries that scan the
same WITH> subquery multiple times.
Improve page-splitting decisions in GiST indexes (Alexander Korotkov,
Robert Haas, Tom Lane)
Multi-column GiST indexes might suffer unexpected bloat due to this
error.
Fix cascading privilege revoke to stop if privileges are still held
(Tom Lane)
If we revoke a grant option from some role X>, but
X> still holds that option via a grant from someone
else, we should not recursively revoke the corresponding privilege
from role(s) Y> that X> had granted it
to.
Improve error messages for Hot Standby misconfiguration errors
(Gurjeet Singh)
Fix handling of SIGFPE> when PL/Perl is in use (Andres Freund)
Perl resets the process's SIGFPE> handler to
SIG_IGN>, which could result in crashes later on. Restore
the normal Postgres signal handler after initializing PL/Perl.
Prevent PL/Perl from crashing if a recursive PL/Perl function is
redefined while being executed (Tom Lane)
Work around possible misoptimization in PL/Perl (Tom Lane)
Some Linux distributions contain an incorrect version of
pthread.h> that results in incorrect compiled code in
PL/Perl, leading to crashes if a PL/Perl function calls another one
that throws an error.
Fix pg_upgrade>'s handling of line endings on Windows
(Andrew Dunstan)
Previously, pg_upgrade> might add or remove carriage
returns in places such as function bodies.
On Windows, make pg_upgrade> use backslash path
separators in the scripts it emits (Andrew Dunstan)
Update time zone data files to tzdata> release 2012f
for DST law changes in Fiji
Release 9.0.9Release Date2012-08-17
This release contains a variety of fixes from 9.0.8.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.9
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Prevent access to external files/URLs via XML entity references
(Noah Misch, Tom Lane)
xml_parse()> would attempt to fetch external files or
URLs as needed to resolve DTD and entity references in an XML value,
thus allowing unprivileged database users to attempt to fetch data
with the privileges of the database server. While the external data
wouldn't get returned directly to the user, portions of it could be
exposed in error messages if the data didn't parse as valid XML; and
in any case the mere ability to check existence of a file might be
useful to an attacker. (CVE-2012-3489)
Prevent access to external files/URLs via contrib/xml2>'s
xslt_process()> (Peter Eisentraut)
libxslt> offers the ability to read and write both
files and URLs through stylesheet commands, thus allowing
unprivileged database users to both read and write data with the
privileges of the database server. Disable that through proper use
of libxslt>'s security options. (CVE-2012-3488)
Also, remove xslt_process()>'s ability to fetch documents
and stylesheets from external files/URLs. While this was a
documented feature>, it was long regarded as a bad idea.
The fix for CVE-2012-3489 broke that capability, and rather than
expend effort on trying to fix it, we're just going to summarily
remove it.
Prevent too-early recycling of btree index pages (Noah Misch)
When we allowed read-only transactions to skip assigning XIDs, we
introduced the possibility that a deleted btree page could be
recycled while a read-only transaction was still in flight to it.
This would result in incorrect index search results. The probability
of such an error occurring in the field seems very low because of the
timing requirements, but nonetheless it should be fixed.
Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane)
If ALTER SEQUENCE> was executed on a freshly created or
reset sequence, and then precisely one nextval()> call
was made on it, and then the server crashed, WAL replay would restore
the sequence to a state in which it appeared that no
nextval()> had been done, thus allowing the first
sequence value to be returned again by the next
nextval()> call. In particular this could manifest for
serial> columns, since creation of a serial column's sequence
includes an ALTER SEQUENCE OWNED BY> step.
Fix txid_current()> to report the correct epoch when not
in hot standby (Heikki Linnakangas)
This fixes a regression introduced in the previous minor release.
Fix bug in startup of Hot Standby when a master transaction has many
subtransactions (Andres Freund)
This mistake led to failures reported as out-of-order XID
insertion in KnownAssignedXids>.
Ensure the backup_label> file is fsync'd after
pg_start_backup()> (Dave Kerr)
Fix timeout handling in walsender processes (Tom Lane)
WAL sender background processes neglected to establish a
SIGALRM> handler, meaning they would wait forever in
some corner cases where a timeout ought to happen.
Back-patch 9.1 improvement to compress the fsync request queue
(Robert Haas)
This improves performance during checkpoints. The 9.1 change
has now seen enough field testing to seem safe to back-patch.
Fix LISTEN>/NOTIFY> to cope better with I/O
problems, such as out of disk space (Tom Lane)
After a write failure, all subsequent attempts to send more
NOTIFY> messages would fail with messages like
Could not read from file "pg_notify/nnnn>" at
offset nnnnn>: Success.
Only allow autovacuum to be auto-canceled by a directly blocked
process (Tom Lane)
The original coding could allow inconsistent behavior in some cases;
in particular, an autovacuum could get canceled after less than
deadlock_timeout> grace period.
Improve logging of autovacuum cancels (Robert Haas)
Fix log collector so that log_truncate_on_rotation> works
during the very first log rotation after server start (Tom Lane)
Fix WITH> attached to a nested set operation
(UNION>/INTERSECT>/EXCEPT>)
(Tom Lane)
Ensure that a whole-row reference to a subquery doesn't include any
extra GROUP BY> or ORDER BY> columns (Tom Lane)
Disallow copying whole-row references in CHECK>
constraints and index definitions during CREATE TABLE>
(Tom Lane)
This situation can arise in CREATE TABLE> with
LIKE> or INHERITS>. The copied whole-row
variable was incorrectly labeled with the row type of the original
table not the new one. Rejecting the case seems reasonable for
LIKE>, since the row types might well diverge later. For
INHERITS> we should ideally allow it, with an implicit
coercion to the parent table's row type; but that will require more
work than seems safe to back-patch.
Fix memory leak in ARRAY(SELECT ...)> subqueries (Heikki
Linnakangas, Tom Lane)
Fix extraction of common prefixes from regular expressions (Tom Lane)
The code could get confused by quantified parenthesized
subexpressions, such as ^(foo)?bar>. This would lead to
incorrect index optimization of searches for such patterns.
Fix bugs with parsing signed
hh>:>mm> and
hh>:>mm>:>ss>
fields in interval> constants (Amit Kapila, Tom Lane)
Use Postgres' encoding conversion functions, not Python's, when
converting a Python Unicode string to the server encoding in
PL/Python (Jan Urbanski)
This avoids some corner-case problems, notably that Python doesn't
support all the encodings Postgres does. A notable functional change
is that if the server encoding is SQL_ASCII, you will get the UTF-8
representation of the string; formerly, any non-ASCII characters in
the string would result in an error.
Fix mapping of PostgreSQL encodings to Python encodings in PL/Python
(Jan Urbanski)
Report errors properly in contrib/xml2>'s
xslt_process()> (Tom Lane)
Update time zone data files to tzdata> release 2012e
for DST law changes in Morocco and Tokelau
Release 9.0.8Release Date2012-06-04
This release contains a variety of fixes from 9.0.7.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.8
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Fix incorrect password transformation in
contrib/pgcrypto>'s DES crypt()> function
(Solar Designer)
If a password string contained the byte value 0x80>, the
remainder of the password was ignored, causing the password to be much
weaker than it appeared. With this fix, the rest of the string is
properly included in the DES hash. Any stored password values that are
affected by this bug will thus no longer match, so the stored values may
need to be updated. (CVE-2012-2143)
Ignore SECURITY DEFINER> and SET> attributes for
a procedural language's call handler (Tom Lane)
Applying such attributes to a call handler could crash the server.
(CVE-2012-2655)
Allow numeric timezone offsets in timestamp> input to be up to
16 hours away from UTC (Tom Lane)
Some historical time zones have offsets larger than 15 hours, the
previous limit. This could result in dumped data values being rejected
during reload.
Fix timestamp conversion to cope when the given time is exactly the
last DST transition time for the current timezone (Tom Lane)
This oversight has been there a long time, but was not noticed
previously because most DST-using zones are presumed to have an
indefinite sequence of future DST transitions.
Fix text> to name> and char> to name>
casts to perform string truncation correctly in multibyte encodings
(Karl Schnaitter)
Fix memory copying bug in to_tsquery()> (Heikki Linnakangas)
Ensure txid_current()> reports the correct epoch when
executed in hot standby (Simon Riggs)
Fix planner's handling of outer PlaceHolderVars within subqueries (Tom
Lane)
This bug concerns sub-SELECTs that reference variables coming from the
nullable side of an outer join of the surrounding query.
In 9.1, queries affected by this bug would fail with ERROR:
Upper-level PlaceHolderVar found where not expected>. But in 9.0 and
8.4, you'd silently get possibly-wrong answers, since the value
transmitted into the subquery wouldn't go to null when it should.
Fix slow session startup when pg_attribute> is very large
(Tom Lane)
If pg_attribute> exceeds one-fourth of
shared_buffers>, cache rebuilding code that is sometimes
needed during session start would trigger the synchronized-scan logic,
causing it to take many times longer than normal. The problem was
particularly acute if many new sessions were starting at once.
Ensure sequential scans check for query cancel reasonably often (Merlin
Moncure)
A scan encountering many consecutive pages that contain no live tuples
would not respond to interrupts meanwhile.
Ensure the Windows implementation of PGSemaphoreLock()>
clears ImmediateInterruptOK> before returning (Tom Lane)
This oversight meant that a query-cancel interrupt received later
in the same query could be accepted at an unsafe time, with
unpredictable but not good consequences.
Show whole-row variables safely when printing views or rules
(Abbas Butt, Tom Lane)
Corner cases involving ambiguous names (that is, the name could be
either a table or column name of the query) were printed in an
ambiguous way, risking that the view or rule would be interpreted
differently after dump and reload. Avoid the ambiguous case by
attaching a no-op cast.
Fix COPY FROM> to properly handle null marker strings that
correspond to invalid encoding (Tom Lane)
A null marker string such as E'\\0'> should work, and did
work in the past, but the case got broken in 8.4.
Ensure autovacuum worker processes perform stack depth checking
properly (Heikki Linnakangas)
Previously, infinite recursion in a function invoked by
auto-ANALYZE> could crash worker processes.
Fix logging collector to not lose log coherency under high load (Andrew
Dunstan)
The collector previously could fail to reassemble large messages if it
got too busy.
Fix logging collector to ensure it will restart file rotation
after receiving SIGHUP> (Tom Lane)
Fix WAL replay logic for GIN indexes to not fail if the index was
subsequently dropped (Tom Lane)
Fix memory leak in PL/pgSQL's RETURN NEXT> command (Joe
Conway)
Fix PL/pgSQL's GET DIAGNOSTICS> command when the target
is the function's first variable (Tom Lane)
Fix potential access off the end of memory in psql>'s
expanded display (\x>) mode (Peter Eisentraut)
Fix several performance problems in pg_dump> when
the database contains many objects (Jeff Janes, Tom Lane)
pg_dump> could get very slow if the database contained
many schemas, or if many objects are in dependency loops, or if there
are many owned sequences.
Fix pg_upgrade> for the case that a database stored in a
non-default tablespace contains a table in the cluster's default
tablespace (Bruce Momjian)
In ecpg>, fix rare memory leaks and possible overwrite
of one byte after the sqlca_t> structure (Peter Eisentraut)
Fix contrib/dblink>'s dblink_exec()> to not leak
temporary database connections upon error (Tom Lane)
Fix contrib/dblink> to report the correct connection name in
error messages (Kyotaro Horiguchi)
Fix contrib/vacuumlo> to use multiple transactions when
dropping many large objects (Tim Lewis, Robert Haas, Tom Lane)
This change avoids exceeding max_locks_per_transaction> when
many objects need to be dropped. The behavior can be adjusted with the
new -l> (limit) option.
Update time zone data files to tzdata> release 2012c
for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland
Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands;
also historical corrections for Canada.
Release 9.0.7Release Date2012-02-27
This release contains a variety of fixes from 9.0.6.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.7
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.6,
see .
Changes
Require execute permission on the trigger function for
CREATE TRIGGER> (Robert Haas)
This missing check could allow another user to execute a trigger
function with forged input data, by installing it on a table he owns.
This is only of significance for trigger functions marked
SECURITY DEFINER>, since otherwise trigger functions run
as the table owner anyway. (CVE-2012-0866)
Remove arbitrary limitation on length of common name in SSL
certificates (Heikki Linnakangas)
Both libpq> and the server truncated the common name
extracted from an SSL certificate at 32 bytes. Normally this would
cause nothing worse than an unexpected verification failure, but there
are some rather-implausible scenarios in which it might allow one
certificate holder to impersonate another. The victim would have to
have a common name exactly 32 bytes long, and the attacker would have
to persuade a trusted CA to issue a certificate in which the common
name has that string as a prefix. Impersonating a server would also
require some additional exploit to redirect client connections.
(CVE-2012-0867)
Convert newlines to spaces in names written in pg_dump>
comments (Robert Haas)
pg_dump> was incautious about sanitizing object names
that are emitted within SQL comments in its output script. A name
containing a newline would at least render the script syntactically
incorrect. Maliciously crafted object names could present a SQL
injection risk when the script is reloaded. (CVE-2012-0868)
Fix btree index corruption from insertions concurrent with vacuuming
(Tom Lane)
An index page split caused by an insertion could sometimes cause a
concurrently-running VACUUM> to miss removing index entries
that it should remove. After the corresponding table rows are removed,
the dangling index entries would cause errors (such as could not
read block N in file ...>) or worse, silently wrong query results
after unrelated rows are re-inserted at the now-free table locations.
This bug has been present since release 8.2, but occurs so infrequently
that it was not diagnosed until now. If you have reason to suspect
that it has happened in your database, reindexing the affected index
will fix things.
Fix transient zeroing of shared buffers during WAL replay (Tom Lane)
The replay logic would sometimes zero and refill a shared buffer, so
that the contents were transiently invalid. In hot standby mode this
can result in a query that's executing in parallel seeing garbage data.
Various symptoms could result from that, but the most common one seems
to be invalid memory alloc request size>.
Fix postmaster to attempt restart after a hot-standby crash (Tom Lane)
A logic error caused the postmaster to terminate, rather than attempt
to restart the cluster, if any backend process crashed while operating
in hot standby mode.
Fix CLUSTER>/VACUUM FULL> handling of toast
values owned by recently-updated rows (Tom Lane)
This oversight could lead to duplicate key value violates unique
constraint> errors being reported against the toast table's index
during one of these commands.
Update per-column permissions, not only per-table permissions, when
changing table owner (Tom Lane)
Failure to do this meant that any previously granted column permissions
were still shown as having been granted by the old owner. This meant
that neither the new owner nor a superuser could revoke the
now-untraceable-to-table-owner permissions.
Support foreign data wrappers and foreign servers in
REASSIGN OWNED> (Alvaro Herrera)
This command failed with unexpected classid> errors if
it needed to change the ownership of any such objects.
Allow non-existent values for some settings in ALTER
USER/DATABASE SET> (Heikki Linnakangas)
Allow default_text_search_config>,
default_tablespace>, and temp_tablespaces> to be
set to names that are not known. This is because they might be known
in another database where the setting is intended to be used, or for the
tablespace cases because the tablespace might not be created yet. The
same issue was previously recognized for search_path>, and
these settings now act like that one.
Avoid crashing when we have problems deleting table files post-commit
(Tom Lane)
Dropping a table should lead to deleting the underlying disk files only
after the transaction commits. In event of failure then (for instance,
because of wrong file permissions) the code is supposed to just emit a
warning message and go on, since it's too late to abort the
transaction. This logic got broken as of release 8.4, causing such
situations to result in a PANIC and an unrestartable database.
Recover from errors occurring during WAL replay of DROP
TABLESPACE> (Tom Lane)
Replay will attempt to remove the tablespace's directories, but there
are various reasons why this might fail (for example, incorrect
ownership or permissions on those directories). Formerly the replay
code would panic, rendering the database unrestartable without manual
intervention. It seems better to log the problem and continue, since
the only consequence of failure to remove the directories is some
wasted disk space.
Fix race condition in logging AccessExclusiveLocks for hot standby
(Simon Riggs)
Sometimes a lock would be logged as being held by transaction
zero>. This is at least known to produce assertion failures on
slave servers, and might be the cause of more serious problems.
Track the OID counter correctly during WAL replay, even when it wraps
around (Tom Lane)
Previously the OID counter would remain stuck at a high value until the
system exited replay mode. The practical consequences of that are
usually nil, but there are scenarios wherein a standby server that's
been promoted to master might take a long time to advance the OID
counter to a reasonable value once values are needed.
Prevent emitting misleading consistent recovery state reached>
log message at the beginning of crash recovery (Heikki Linnakangas)
Fix initial value of
pg_stat_replication>.replay_location>
(Fujii Masao)
Previously, the value shown would be wrong until at least one WAL
record had been replayed.
Fix regular expression back-references with *> attached
(Tom Lane)
Rather than enforcing an exact string match, the code would effectively
accept any string that satisfies the pattern sub-expression referenced
by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a
larger quantified expression, rather than being the immediate subject
of the quantifier. This will be addressed in a future
PostgreSQL> release.
Fix recently-introduced memory leak in processing of
inet>/cidr> values (Heikki Linnakangas)
A patch in the December 2011 releases of PostgreSQL>
caused memory leakage in these operations, which could be significant
in scenarios such as building a btree index on such a column.
Fix dangling pointer after CREATE TABLE AS>/SELECT
INTO> in a SQL-language function (Tom Lane)
In most cases this only led to an assertion failure in assert-enabled
builds, but worse consequences seem possible.
Avoid double close of file handle in syslogger on Windows (MauMau)
Ordinarily this error was invisible, but it would cause an exception
when running on a debug version of Windows.
Fix I/O-conversion-related memory leaks in plpgsql
(Andres Freund, Jan Urbanski, Tom Lane)
Certain operations would leak memory until the end of the current
function.
Improve pg_dump>'s handling of inherited table columns
(Tom Lane)
pg_dump> mishandled situations where a child column has
a different default expression than its parent column. If the default
is textually identical to the parent's default, but not actually the
same (for instance, because of schema search path differences) it would
not be recognized as different, so that after dump and restore the
child would be allowed to inherit the parent's default. Child columns
that are NOT NULL> where their parent is not could also be
restored subtly incorrectly.
Fix pg_restore>'s direct-to-database mode for
INSERT-style table data (Tom Lane)
Direct-to-database restores from archive files made with
Allow pg_upgrade> to process tables containing
regclass> columns (Bruce Momjian)
Since pg_upgrade> now takes care to preserve
pg_class> OIDs, there was no longer any reason for this
restriction.
Make libpq> ignore ENOTDIR> errors
when looking for an SSL client certificate file
(Magnus Hagander)
This allows SSL connections to be established, though without a
certificate, even when the user's home directory is set to something
like /dev/null>.
Fix some more field alignment issues in ecpg>'s SQLDA area
(Zoltan Boszormenyi)
Allow AT> option in ecpg>
DEALLOCATE> statements (Michael Meskes)
The infrastructure to support this has been there for awhile, but
through an oversight there was still an error check rejecting the case.
Do not use the variable name when defining a varchar structure in ecpg
(Michael Meskes)
Fix contrib/auto_explain>'s JSON output mode to produce
valid JSON (Andrew Dunstan)
The output used brackets at the top level, when it should have used
braces.
Fix error in contrib/intarray>'s int[] &
int[]> operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1,
and there are smaller values in either array, then 1 would be
incorrectly omitted from the result.
Fix error detection in contrib/pgcrypto>'s
encrypt_iv()> and decrypt_iv()>
(Marko Kreen)
These functions failed to report certain types of invalid-input errors,
and would instead return random garbage values for incorrect input.
Fix one-byte buffer overrun in contrib/test_parser>
(Paul Guyot)
The code would try to read one more byte than it should, which would
crash in corner cases.
Since contrib/test_parser> is only example code, this is
not a security issue in itself, but bad example code is still bad.
Use __sync_lock_test_and_set()> for spinlocks on ARM, if
available (Martin Pitt)
This function replaces our previous use of the SWPB>
instruction, which is deprecated and not available on ARMv6 and later.
Reports suggest that the old code doesn't fail in an obvious way on
recent ARM boards, but simply doesn't interlock concurrent accesses,
leading to bizarre failures in multiprocess operation.
Use
This prevents assorted scenarios wherein recent versions of gcc will
produce creative results.
Allow use of threaded Python on FreeBSD (Chris Rees)
Our configure script previously believed that this combination wouldn't
work; but FreeBSD fixed the problem, so remove that error check.
Release 9.0.6Release Date2011-12-05
This release contains a variety of fixes from 9.0.5.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.6
A dump/restore is not required for those running 9.0.X.
However, a longstanding error was discovered in the definition of the
information_schema.referential_constraints> view. If you
rely on correct results from that view, you should replace its
definition as explained in the first changelog item below.
Also, if you are upgrading from a version earlier than 9.0.4,
see .
Changes
Fix bugs in information_schema.referential_constraints> view
(Tom Lane)
This view was being insufficiently careful about matching the
foreign-key constraint to the depended-on primary or unique key
constraint. That could result in failure to show a foreign key
constraint at all, or showing it multiple times, or claiming that it
depends on a different constraint than the one it really does.
Since the view definition is installed by initdb>,
merely upgrading will not fix the problem. If you need to fix this
in an existing installation, you can (as a superuser) drop the
information_schema> schema then re-create it by sourcing
SHAREDIR>/information_schema.sql.
(Run pg_config --sharedir> if you're uncertain where
SHAREDIR> is.) This must be repeated in each database
to be fixed.
Fix possible crash during UPDATE> or DELETE> that
joins to the output of a scalar-returning function (Tom Lane)
A crash could only occur if the target row had been concurrently
updated, so this problem surfaced only intermittently.
Fix incorrect replay of WAL records for GIN index updates
(Tom Lane)
This could result in transiently failing to find index entries after
a crash, or on a hot-standby server. The problem would be repaired
by the next VACUUM> of the index, however.
Fix TOAST-related data corruption during CREATE TABLE dest AS
SELECT * FROM src> or INSERT INTO dest SELECT * FROM src>
(Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN>,
attempts to copy its data verbatim to another table could produce
corrupt results in certain corner cases.
The problem can only manifest in this precise form in 8.4 and later,
but we patched earlier versions as well in case there are other code
paths that could trigger the same bug.
Fix possible failures during hot standby startup (Simon Riggs)
Start hot standby faster when initial snapshot is incomplete
(Simon Riggs)
Fix race condition during toast table access from stale syscache entries
(Tom Lane)
The typical symptom was transient errors like missing chunk
number 0 for toast value NNNNN in pg_toast_2619>, where the cited
toast table would always belong to a system catalog.
Track dependencies of functions on items used in parameter default
expressions (Tom Lane)
Previously, a referenced object could be dropped without having dropped
or modified the function, leading to misbehavior when the function was
used. Note that merely installing this update will not fix the missing
dependency entries; to do that, you'd need to CREATE OR
REPLACE> each such function afterwards. If you have functions whose
defaults depend on non-built-in objects, doing so is recommended.
Allow inlining of set-returning SQL functions with multiple OUT
parameters (Tom Lane)
Don't trust deferred-unique indexes for join removal (Tom Lane and Marti
Raudsepp)
A deferred uniqueness constraint might not hold intra-transaction,
so assuming that it does could give incorrect query results.
Make DatumGetInetP()> unpack inet datums that have a 1-byte
header, and add a new macro, DatumGetInetPP()>, that does
not (Heikki Linnakangas)
This change affects no core code, but might prevent crashes in add-on
code that expects DatumGetInetP()> to produce an unpacked
datum as per usual convention.
Improve locale support in money> type's input and output
(Tom Lane)
Aside from not supporting all standard
lc_monetary>
formatting options, the input and output functions were inconsistent,
meaning there were locales in which dumped money> values could
not be re-read.
Don't let transform_null_equals>
affect CASE foo WHEN NULL ...> constructs
(Heikki Linnakangas)
transform_null_equals> is only supposed to affect
foo = NULL> expressions written directly by the user, not
equality checks generated internally by this form of CASE>.
Change foreign-key trigger creation order to better support
self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update
will fire both the ON UPDATE> trigger and the
CHECK> trigger as one event. The ON UPDATE>
trigger must execute first, else the CHECK> will check a
non-final state of the row and possibly throw an inappropriate error.
However, the firing order of these triggers is determined by their
names, which generally sort in creation order since the triggers have
auto-generated names following the convention
RI_ConstraintTrigger_NNNN>. A proper fix would require
modifying that convention, which we will do in 9.2, but it seems risky
to change it in existing releases. So this patch just changes the
creation order of the triggers. Users encountering this type of error
should drop and re-create the foreign key constraint to get its
triggers into the right order.
Avoid floating-point underflow while tracking buffer allocation rate
(Greg Matthews)
While harmless in itself, on certain platforms this would result in
annoying kernel log messages.
Preserve configuration file name and line number values when starting
child processes under Windows (Tom Lane)
Formerly, these would not be displayed correctly in the
pg_settings> view.
Fix incorrect field alignment in ecpg>'s SQLDA area
(Zoltan Boszormenyi)
Preserve blank lines within commands in psql>'s command
history (Robert Haas)
The former behavior could cause problems if an empty line was removed
from within a string literal, for example.
Fix pg_dump> to dump user-defined casts between
auto-generated types, such as table rowtypes (Tom Lane)
Assorted fixes for pg_upgrade> (Bruce Momjian)
Handle exclusion constraints correctly, avoid failures on Windows,
don't complain about mismatched toast table names in 8.4 databases.
Use the preferred version of xsubpp> to build PL/Perl,
not necessarily the operating system's main copy
(David Wheeler and Alex Hunsaker)
Fix incorrect coding in contrib/dict_int> and
contrib/dict_xsyn> (Tom Lane)
Some functions incorrectly assumed that memory returned by
palloc()> is guaranteed zeroed.
Fix assorted errors in contrib/unaccent>'s configuration
file parsing (Tom Lane)
Honor query cancel interrupts promptly in pgstatindex()>
(Robert Haas)
Fix incorrect quoting of log file name in macOS start script
(Sidar Lopez)
Ensure VPATH builds properly install all server header files
(Peter Eisentraut)
Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file
containing the error message call, but VPATH builds formerly
reported an absolute path name.
Fix interpretation of Windows timezone names for Central America
(Tom Lane)
Map Central America Standard Time> to CST6>, not
CST6CDT>, because DST is generally not observed anywhere in
Central America.
Update time zone data files to tzdata> release 2011n
for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa;
also historical corrections for Alaska and British East Africa.
Release 9.0.5Release Date2011-09-26
This release contains a variety of fixes from 9.0.4.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.5
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.4,
see .
Changes
Fix catalog cache invalidation after a VACUUM FULL> or
CLUSTER> on a system catalog (Tom Lane)
In some cases the relocation of a system catalog row to another place
would not be recognized by concurrent server processes, allowing catalog
corruption to occur if they then tried to update that row. The
worst-case outcome could be as bad as complete loss of a table.
Fix incorrect order of operations during sinval reset processing,
and ensure that TOAST OIDs are preserved in system catalogs (Tom
Lane)
These mistakes could lead to transient failures after a VACUUM
FULL> or CLUSTER> on a system catalog.
Fix bugs in indexing of in-doubt HOT-updated tuples (Tom Lane)
These bugs could result in index corruption after reindexing a system
catalog. They are not believed to affect user indexes.
Fix multiple bugs in GiST index page split processing (Heikki
Linnakangas)
The probability of occurrence was low, but these could lead to index
corruption.
Fix possible buffer overrun in tsvector_concat()>
(Tom Lane)
The function could underestimate the amount of memory needed for its
result, leading to server crashes.
Fix crash in xml_recv> when processing a
standalone> parameter (Tom Lane)
Make pg_options_to_table> return NULL for an option with no
value (Tom Lane)
Previously such cases would result in a server crash.
Avoid possibly accessing off the end of memory in ANALYZE>
and in SJIS-2004 encoding conversion (Noah Misch)
This fixes some very-low-probability server crash scenarios.
Protect pg_stat_reset_shared()> against NULL input (Magnus
Hagander)
Fix possible failure when a recovery conflict deadlock is detected
within a sub-transaction (Tom Lane)
Avoid spurious conflicts while recycling btree index pages during hot
standby (Noah Misch, Simon Riggs)
Shut down WAL receiver if it's still running at end of recovery (Heikki
Linnakangas)
The postmaster formerly panicked in this situation, but it's actually a
legitimate case.
Fix race condition in relcache init file invalidation (Tom Lane)
There was a window wherein a new backend process could read a stale init
file but miss the inval messages that would tell it the data is stale.
The result would be bizarre failures in catalog accesses, typically
could not read block 0 in file ...> later during startup.
Fix memory leak at end of a GiST index scan (Tom Lane)
Commands that perform many separate GiST index scans, such as
verification of a new GiST-based exclusion constraint on a table
already containing many rows, could transiently require large amounts of
memory due to this leak.
Fix memory leak when encoding conversion has to be done on incoming
command strings and LISTEN> is active (Tom Lane)
Fix incorrect memory accounting (leading to possible memory bloat) in
tuplestores supporting holdable cursors and plpgsql's RETURN
NEXT> command (Tom Lane)
Fix trigger WHEN> conditions when both BEFORE> and
AFTER> triggers exist (Tom Lane)
Evaluation of WHEN> conditions for AFTER ROW
UPDATE> triggers could crash if there had been a BEFORE
ROW> trigger fired for the same update.
Fix performance problem when constructing a large, lossy bitmap
(Tom Lane)
Fix join selectivity estimation for unique columns (Tom Lane)
This fixes an erroneous planner heuristic that could lead to poor
estimates of the result size of a join.
Fix nested PlaceHolderVar expressions that appear only in sub-select
target lists (Tom Lane)
This mistake could result in outputs of an outer join incorrectly
appearing as NULL.
Allow the planner to assume that empty parent tables really are empty
(Tom Lane)
Normally an empty table is assumed to have a certain minimum size for
planning purposes; but this heuristic seems to do more harm than good
for the parent table of an inheritance hierarchy, which often is
permanently empty.
Allow nested EXISTS> queries to be optimized properly (Tom
Lane)
Fix array- and path-creating functions to ensure padding bytes are
zeroes (Tom Lane)
This avoids some situations where the planner will think that
semantically-equal constants are not equal, resulting in poor
optimization.
Fix EXPLAIN> to handle gating Result nodes within
inner-indexscan subplans (Tom Lane)
The usual symptom of this oversight was bogus varno> errors.
Fix btree preprocessing of indexedcol> IS
NULL> conditions (Dean Rasheed)
Such a condition is unsatisfiable if combined with any other type of
btree-indexable condition on the same index column. The case was
handled incorrectly in 9.0.0 and later, leading to query output where
there should be none.
Work around gcc 4.6.0 bug that breaks WAL replay (Tom Lane)
This could lead to loss of committed transactions after a server crash.
Fix dump bug for VALUES> in a view (Tom Lane)
Disallow SELECT FOR UPDATE/SHARE> on sequences (Tom Lane)
This operation doesn't work as expected and can lead to failures.
Fix VACUUM> so that it always updates
pg_class>.reltuples>/relpages> (Tom
Lane)
This fixes some scenarios where autovacuum could make increasingly poor
decisions about when to vacuum tables.
Defend against integer overflow when computing size of a hash table (Tom
Lane)
Fix cases where CLUSTER> might attempt to access
already-removed TOAST data (Tom Lane)
Fix premature timeout failures during initial authentication transaction
(Tom Lane)
Fix portability bugs in use of credentials control messages for
peer> authentication (Tom Lane)
Fix SSPI login when multiple roundtrips are required (Ahmed Shinwari,
Magnus Hagander)
The typical symptom of this problem was The function requested is
not supported> errors during SSPI login.
Fix failure when adding a new variable of a custom variable class to
postgresql.conf> (Tom Lane)
Throw an error if pg_hba.conf> contains hostssl>
but SSL is disabled (Tom Lane)
This was concluded to be more user-friendly than the previous behavior
of silently ignoring such lines.
Fix failure when DROP OWNED BY> attempts to remove default
privileges on sequences (Shigeru Hanada)
Fix typo in pg_srand48> seed initialization (Andres Freund)
This led to failure to use all bits of the provided seed. This function
is not used on most platforms (only those without srandom>),
and the potential security exposure from a less-random-than-expected
seed seems minimal in any case.
Avoid integer overflow when the sum of LIMIT> and
OFFSET> values exceeds 2^63 (Heikki Linnakangas)
Add overflow checks to int4> and int8> versions of
generate_series()> (Robert Haas)
Fix trailing-zero removal in to_char()> (Marti Raudsepp)
In a format with FM> and no digit positions
after the decimal point, zeroes to the left of the decimal point could
be removed incorrectly.
Fix pg_size_pretty()> to avoid overflow for inputs close to
2^63 (Tom Lane)
Weaken plpgsql's check for typmod matching in record values (Tom Lane)
An overly enthusiastic check could lead to discarding length modifiers
that should have been kept.
Correctly handle quotes in locale names during initdb>
(Heikki Linnakangas)
The case can arise with some Windows locales, such as People's
Republic of China>.
In pg_upgrade>, avoid dumping orphaned temporary tables
(Bruce Momjian)
This prevents situations wherein table OID assignments could get out of
sync between old and new installations.
Fix pg_upgrade> to preserve toast tables' relfrozenxids
during an upgrade from 8.3 (Bruce Momjian)
Failure to do this could lead to pg_clog> files being
removed too soon after the upgrade.
In pg_upgrade>, fix the -l> (log) option to
work on Windows (Bruce Momjian)
In pg_ctl>, support silent mode for service registrations
on Windows (MauMau)
Fix psql>'s counting of script file line numbers during
COPY> from a different file (Tom Lane)
Fix pg_restore>'s direct-to-database mode for
standard_conforming_strings> (Tom Lane)
pg_restore> could emit incorrect commands when restoring
directly to a database server from an archive file that had been made
with standard_conforming_strings> set to on>.
Be more user-friendly about unsupported cases for parallel
pg_restore> (Tom Lane)
This change ensures that such cases are detected and reported before
any restore actions have been taken.
Fix write-past-buffer-end and memory leak in libpq>'s
LDAP service lookup code (Albe Laurenz)
In libpq>, avoid failures when using nonblocking I/O
and an SSL connection (Martin Pihlak, Tom Lane)
Improve libpq's handling of failures during connection startup
(Tom Lane)
In particular, the response to a server report of fork()>
failure during SSL connection startup is now saner.
Improve libpq>'s error reporting for SSL failures (Tom
Lane)
Fix PQsetvalue()> to avoid possible crash when adding a new
tuple to a PGresult> originally obtained from a server
query (Andrew Chernow)
Make ecpglib> write double> values with 15 digits
precision (Akira Kurosawa)
In ecpglib>, be sure LC_NUMERIC> setting is
restored after an error (Michael Meskes)
Apply upstream fix for blowfish signed-character bug (CVE-2011-2483)
(Tom Lane)
contrib/pg_crypto>'s blowfish encryption code could give
wrong results on platforms where char is signed (which is most),
leading to encrypted passwords being weaker than they should be.
Fix memory leak in contrib/seg> (Heikki Linnakangas)
Fix pgstatindex()> to give consistent results for empty
indexes (Tom Lane)
Allow building with perl 5.14 (Alex Hunsaker)
Fix assorted issues with build and install file paths containing spaces
(Tom Lane)
Update time zone data files to tzdata> release 2011i
for DST law changes in Canada, Egypt, Russia, Samoa, and South Sudan.
Release 9.0.4Release Date2011-04-18
This release contains a variety of fixes from 9.0.3.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.4
A dump/restore is not required for those running 9.0.X.
However, if your installation was upgraded from a previous major
release by running pg_upgrade>, you should take
action to prevent possible data loss due to a now-fixed bug in
pg_upgrade>. The recommended solution is to run
VACUUM FREEZE> on all TOAST tables.
More information is available at
http://wiki.postgresql.org/wiki/20110408pg_upgrade_fix.
Changes
Fix pg_upgrade>'s handling of TOAST tables
(Bruce Momjian)
The pg_class>.relfrozenxid> value for
TOAST tables was not correctly copied into the new installation
during pg_upgrade>. This could later result in
pg_clog> files being discarded while they were still
needed to validate tuples in the TOAST tables, leading to
could not access status of transaction> failures.
This error poses a significant risk of data loss for installations
that have been upgraded with pg_upgrade>. This patch
corrects the problem for future uses of pg_upgrade>,
but does not in itself cure the issue in installations that have been
processed with a buggy version of pg_upgrade>.
Suppress incorrect PD_ALL_VISIBLE flag was incorrectly set>
warning (Heikki Linnakangas)
VACUUM> would sometimes issue this warning in cases that
are actually valid.
Use better SQLSTATE error codes for hot standby conflict cases
(Tatsuo Ishii and Simon Riggs)
All retryable conflict errors now have an error code that indicates
that a retry is possible. Also, session closure due to the database
being dropped on the master is now reported as
ERRCODE_DATABASE_DROPPED>, rather than
ERRCODE_ADMIN_SHUTDOWN>, so that connection poolers can
handle the situation correctly.
Prevent intermittent hang in interactions of startup process with
bgwriter process (Simon Riggs)
This affected recovery in non-hot-standby cases.
Disallow including a composite type in itself (Tom Lane)
This prevents scenarios wherein the server could recurse infinitely
while processing the composite type. While there are some possible
uses for such a structure, they don't seem compelling enough to
justify the effort required to make sure it always works safely.
Avoid potential deadlock during catalog cache initialization
(Nikhil Sontakke)
In some cases the cache loading code would acquire share lock on a
system index before locking the index's catalog. This could deadlock
against processes trying to acquire exclusive locks in the other,
more standard order.
Fix dangling-pointer problem in BEFORE ROW UPDATE> trigger
handling when there was a concurrent update to the target tuple
(Tom Lane)
This bug has been observed to result in intermittent cannot
extract system attribute from virtual tuple> failures while trying to
do UPDATE RETURNING ctid>. There is a very small probability
of more serious errors, such as generating incorrect index entries for
the updated tuple.
Disallow DROP TABLE> when there are pending deferred trigger
events for the table (Tom Lane)
Formerly the DROP> would go through, leading to
could not open relation with OID nnn> errors when the
triggers were eventually fired.
Allow replication> as a user name in
pg_hba.conf> (Andrew Dunstan)
replication> is special in the database name column, but it
was mistakenly also treated as special in the user name column.
Prevent crash triggered by constant-false WHERE conditions during
GEQO optimization (Tom Lane)
Improve planner's handling of semi-join and anti-join cases
(Tom Lane)
Fix handling of SELECT FOR UPDATE> in a sub-SELECT
(Tom Lane)
This bug typically led to cannot extract system attribute from
virtual tuple> errors.
Fix selectivity estimation for text search to account for NULLs
(Jesper Krogh)
Fix get_actual_variable_range() to support hypothetical indexes
injected by an index adviser plugin (Gurjeet Singh)
Fix PL/Python memory leak involving array slices (Daniel Popowich)
Allow libpq>'s SSL initialization to succeed when
user's home directory is unavailable (Tom Lane)
If the SSL mode is such that a root certificate file is not required,
there is no need to fail. This change restores the behavior to what
it was in pre-9.0 releases.
Fix libpq> to return a useful error message for errors
detected in conninfo_array_parse> (Joseph Adams)
A typo caused the library to return NULL, rather than the
PGconn> structure containing the error message, to the
application.
Fix ecpg> preprocessor's handling of float constants
(Heikki Linnakangas)
Fix parallel pg_restore> to handle comments on
POST_DATA items correctly (Arnd Hannemann)
Fix pg_restore> to cope with long lines (over 1KB) in
TOC files (Tom Lane)
Put in more safeguards against crashing due to division-by-zero
with overly enthusiastic compiler optimization (Aurelien Jarno)
Support use of dlopen() in FreeBSD and OpenBSD on MIPS (Tom Lane)
There was a hard-wired assumption that this system function was not
available on MIPS hardware on these systems. Use a compile-time test
instead, since more recent versions have it.
Fix compilation failures on HP-UX (Heikki Linnakangas)
Avoid crash when trying to write to the Windows console very early
in process startup (Rushabh Lathia)
Support building with MinGW 64 bit compiler for Windows
(Andrew Dunstan)
Fix version-incompatibility problem with libintl> on
Windows (Hiroshi Inoue)
Fix usage of xcopy> in Windows build scripts to
work correctly under Windows 7 (Andrew Dunstan)
This affects the build scripts only, not installation or usage.
Fix path separator used by pg_regress> on Cygwin
(Andrew Dunstan)
Update time zone data files to tzdata> release 2011f
for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa,
and Turkey; also historical corrections for South Australia, Alaska,
and Hawaii.
Release 9.0.3Release Date2011-01-31
This release contains a variety of fixes from 9.0.2.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.3
A dump/restore is not required for those running 9.0.X.
Changes
Before exiting walreceiver>, ensure all the received WAL
is fsync'd to disk (Heikki Linnakangas)
Otherwise the standby server could replay some un-synced WAL, conceivably
leading to data corruption if the system crashes just at that point.
Avoid excess fsync activity in walreceiver>
(Heikki Linnakangas)
Make ALTER TABLE> revalidate uniqueness and exclusion
constraints when needed (Noah Misch)
This was broken in 9.0 by a change that was intended to suppress
revalidation during VACUUM FULL> and CLUSTER>,
but unintentionally affected ALTER TABLE> as well.
Fix EvalPlanQual for UPDATE> of an inheritance tree in which
the tables are not all alike (Tom Lane)
Any variation in the table row types (including dropped columns present
in only some child tables) would confuse the EvalPlanQual code, leading
to misbehavior or even crashes. Since EvalPlanQual is only executed
during concurrent updates to the same row, the problem was only seen
intermittently.
Avoid failures when EXPLAIN> tries to display a simple-form
CASE> expression (Tom Lane)
If the CASE>'s test expression was a constant, the planner
could simplify the CASE> into a form that confused the
expression-display code, resulting in unexpected CASE WHEN
clause> errors.
Fix assignment to an array slice that is before the existing range
of subscripts (Tom Lane)
If there was a gap between the newly added subscripts and the first
pre-existing subscript, the code miscalculated how many entries needed
to be copied from the old array's null bitmap, potentially leading to
data corruption or crash.
Avoid unexpected conversion overflow in planner for very distant date
values (Tom Lane)
The date> type supports a wider range of dates than can be
represented by the timestamp> types, but the planner assumed it
could always convert a date to timestamp with impunity.
Fix PL/Python crash when an array contains null entries (Alex Hunsaker)
Remove ecpg>'s fixed length limit for constants defining
an array dimension (Michael Meskes)
Fix erroneous parsing of tsquery> values containing
... & !(subexpression) | ... (Tom Lane)
Queries containing this combination of operators were not executed
correctly. The same error existed in contrib/intarray>'s
query_int> type and contrib/ltree>'s
ltxtquery> type.
Fix buffer overrun in contrib/intarray>'s input function
for the query_int> type (Apple)
This bug is a security risk since the function's return address could
be overwritten. Thanks to Apple Inc's security team for reporting this
issue and supplying the fix. (CVE-2010-4015)
Fix bug in contrib/seg>'s GiST picksplit algorithm
(Alexander Korotkov)
This could result in considerable inefficiency, though not actually
incorrect answers, in a GiST index on a seg> column.
If you have such an index, consider REINDEX>ing it after
installing this update. (This is identical to the bug that was fixed in
contrib/cube> in the previous update.)
Release 9.0.2Release Date2010-12-16
This release contains a variety of fixes from 9.0.1.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.2
A dump/restore is not required for those running 9.0.X.
Changes
Force the default
wal_sync_method>
to be fdatasync> on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync> for many
years, but recent kernel changes caused PostgreSQL> to
choose open_datasync> instead. This choice did not result
in any performance improvement, and caused outright failures on
certain filesystems, notably ext4> with the
data=journal> mount option.
Fix too many KnownAssignedXids> error during Hot Standby
replay (Heikki Linnakangas)
Fix race condition in lock acquisition during Hot Standby (Simon Riggs)
Avoid unnecessary conflicts during Hot Standby (Simon Riggs)
This fixes some cases where replay was considered to conflict with
standby queries (causing delay of replay or possibly cancellation of
the queries), but there was no real conflict.
Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)
This could result in bad buffer id: 0> failures or
corruption of index contents during replication.
Fix recovery from base backup when the starting checkpoint WAL record
is not in the same WAL segment as its redo point (Jeff Davis)
Fix corner-case bug when streaming replication is enabled immediately
after creating the master database cluster (Heikki Linnakangas)
Fix persistent slowdown of autovacuum workers when multiple workers
remain active for a long time (Tom Lane)
The effective vacuum_cost_limit> for an autovacuum worker
could drop to nearly zero if it processed enough tables, causing it
to run extremely slowly.
Fix long-term memory leak in autovacuum launcher (Alvaro Herrera)
Avoid failure when trying to report an impending transaction
wraparound condition from outside a transaction (Tom Lane)
This oversight prevented recovery after transaction wraparound got
too close, because database startup processing would fail.
Add support for detecting register-stack overrun on IA64>
(Tom Lane)
The IA64> architecture has two hardware stacks. Full
prevention of stack-overrun failures requires checking both.
Add a check for stack overflow in copyObject()> (Tom Lane)
Certain code paths could crash due to stack overflow given a
sufficiently complex query.
Fix detection of page splits in temporary GiST indexes (Heikki
Linnakangas)
It is possible to have a concurrent> page split in a
temporary index, if for example there is an open cursor scanning the
index when an insertion is done. GiST failed to detect this case and
hence could deliver wrong results when execution of the cursor
continued.
Fix error checking during early connection processing (Tom Lane)
The check for too many child processes was skipped in some cases,
possibly leading to postmaster crash when attempting to add the new
child process to fixed-size arrays.
Improve efficiency of window functions (Tom Lane)
Certain cases where a large number of tuples needed to be read in
advance, but work_mem> was large enough to allow them all
to be held in memory, were unexpectedly slow.
percent_rank()>, cume_dist()> and
ntile()> in particular were subject to this problem.
Avoid memory leakage while ANALYZE>'ing complex index
expressions (Tom Lane)
Ensure an index that uses a whole-row Var still depends on its table
(Tom Lane)
An index declared like create index i on t (foo(t.*))>
would not automatically get dropped when its table was dropped.
Add missing support in DROP OWNED BY> for removing foreign
data wrapper/server privileges belonging to a user (Heikki Linnakangas)
Do not inline> a SQL function with multiple OUT>
parameters (Tom Lane)
This avoids a possible crash due to loss of information about the
expected result rowtype.
Fix crash when inline-ing a set-returning function whose argument list
contains a reference to an inline-able user function (Tom Lane)
Behave correctly if ORDER BY>, LIMIT>,
FOR UPDATE>, or WITH> is attached to the
VALUES> part of INSERT ... VALUES> (Tom Lane)
Make the OFF> keyword unreserved (Heikki Linnakangas)
This prevents problems with using off> as a variable name in
PL/pgSQL>. That worked before 9.0, but was now broken
because PL/pgSQL> now treats all core reserved words
as reserved.
Fix constant-folding of COALESCE()> expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that
in fact could never be reached, possibly leading to unexpected errors.
Fix could not find pathkey item to sort> planner failure
with comparison of whole-row Vars (Tom Lane)
Fix postmaster crash when connection acceptance
(accept()> or one of the calls made immediately after it)
fails, and the postmaster was compiled with GSSAPI support (Alexander
Chernikov)
Retry after receiving an invalid response packet from a RADIUS
authentication server (Magnus Hagander)
This fixes a low-risk potential denial of service condition.
Fix missed unlink of temporary files when log_temp_files>
is active (Tom Lane)
If an error occurred while attempting to emit the log message, the
unlink was not done, resulting in accumulation of temp files.
Add print functionality for InhRelation> nodes (Tom Lane)
This avoids a failure when debug_print_parse> is enabled
and certain types of query are executed.
Fix incorrect calculation of distance from a point to a horizontal
line segment (Tom Lane)
This bug affected several different geometric distance-measurement
operators.
Fix incorrect calculation of transaction status in
ecpg> (Itagaki Takahiro)
Fix errors in psql>'s Unicode-escape support (Tom Lane)
Speed up parallel pg_restore> when the archive
contains many large objects (blobs) (Tom Lane)
Fix PL/pgSQL>'s handling of simple>
expressions to not fail in recursion or error-recovery cases (Tom Lane)
Fix PL/pgSQL>'s error reporting for no-such-column
cases (Tom Lane)
As of 9.0, it would sometimes report missing FROM-clause entry
for table foo> when record foo has no field bar> would be
more appropriate.
Fix PL/Python> to honor typmod (i.e., length or
precision restrictions) when assigning to tuple fields (Tom Lane)
This fixes a regression from 8.4.
Fix PL/Python>'s handling of set-returning functions
(Jan Urbanski)
Attempts to call SPI functions within the iterator generating a set
result would fail.
Fix bug in contrib/cube>'s GiST picksplit algorithm
(Alexander Korotkov)
This could result in considerable inefficiency, though not actually
incorrect answers, in a GiST index on a cube> column.
If you have such an index, consider REINDEX>ing it after
installing this update.
Don't emit identifier will be truncated> notices in
contrib/dblink> except when creating new connections
(Itagaki Takahiro)
Fix potential coredump on missing public key in
contrib/pgcrypto> (Marti Raudsepp)
Fix buffer overrun in contrib/pg_upgrade> (Hernan Gonzalez)
Fix memory leak in contrib/xml2>'s XPath query functions
(Tom Lane)
Update time zone data files to tzdata> release 2010o
for DST law changes in Fiji and Samoa;
also historical corrections for Hong Kong.
Release 9.0.1Release Date2010-10-04
This release contains a variety of fixes from 9.0.0.
For information about new features in the 9.0 major release, see
.
Migration to Version 9.0.1
A dump/restore is not required for those running 9.0.X.
Changes
Use a separate interpreter for each calling SQL userid in PL/Perl and
PL/Tcl (Tom Lane)
This change prevents security problems that can be caused by subverting
Perl or Tcl code that will be executed later in the same session under
another SQL user identity (for example, within a SECURITY
DEFINER> function). Most scripting languages offer numerous ways that
that might be done, such as redefining standard functions or operators
called by the target function. Without this change, any SQL user with
Perl or Tcl language usage rights can do essentially anything with the
SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl
and Tcl functions becomes more difficult. To provide an escape hatch,
PL/PerlU and PL/TclU functions continue to use only one interpreter
per session. This is not considered a security issue since all such
functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer
trusted execution have similar security issues. We advise contacting
the authors of any PL you are depending on for security-critical
purposes.
Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433).
Improve pg_get_expr()> security fix so that the function
can still be used on the output of a sub-select (Tom Lane)
Fix incorrect placement of placeholder evaluation (Tom Lane)
This bug could result in query outputs being non-null when they
should be null, in cases where the inner side of an outer join
is a sub-select with non-strict expressions in its output list.
Fix join removal's handling of placeholder expressions (Tom Lane)
Fix possible duplicate scans of UNION ALL> member relations
(Tom Lane)
Prevent infinite loop in ProcessIncomingNotify() after unlistening
(Jeff Davis)
Prevent show_session_authorization() from crashing within autovacuum
processes (Tom Lane)
Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane)
Input such as 'J100000'::date> worked before 8.4,
but was unintentionally broken by added error-checking.
Make psql recognize DISCARD ALL> as a command that should
not be encased in a transaction block in autocommit-off mode
(Itagaki Takahiro)
Update build infrastructure and documentation to reflect the source code
repository's move from CVS to Git (Magnus Hagander and others)
Release 9.0Release Date2010-09-20Overview
This release of
PostgreSQL> adds features that have been requested
for years, such as easy-to-use replication, a mass permission-changing
facility, and anonymous code blocks. While past major releases have
been conservative in their scope, this release shows a
bold new desire to provide facilities that new and existing
users of PostgreSQL> will embrace. This has all
been done with few incompatibilities. Major enhancements include:
Built-in replication based on log shipping. This advance consists of
two features: Streaming Replication, allowing continuous archive
(WAL>) files to be streamed over a network connection to a
standby server, and Hot Standby, allowing continuous archive standby
servers to execute read-only queries. The net effect is to support a
single master with multiple read-only slave servers.
Easier database object permissions management. GRANT>/REVOKE IN
SCHEMA> supports mass permissions changes on existing objects,
while ALTER DEFAULT
PRIVILEGES> allows control of privileges for objects created in
the future. Large objects (BLOBs) now support permissions management as
well.
Broadly enhanced stored procedure support.
The DO> statement supports
ad-hoc or anonymous> code blocks.
Functions can now be called using named parameters.
PL/pgSQL is now installed by default, and
PL/Perl and PL/Python have been enhanced in several ways,
including support for Python3.
Full support for 64-bit
Windows>.
More advanced reporting queries, including additional windowing options
(PRECEDING> and FOLLOWING>) and the ability to
control the order in which values are fed to aggregate functions.
New trigger features, including
SQL-standard-compliant per-column triggers and
conditional trigger execution.
Deferrable
unique constraints. Mass updates to unique keys are now possible
without trickery.
Exclusion constraints.
These provide a generalized version of unique constraints, allowing
enforcement of complex conditions.
New and enhanced security features, including RADIUS authentication,
LDAP authentication improvements, and a new contrib module
passwordcheck>
for testing password strength.
New high-performance implementation of the
LISTEN>/NOTIFY> feature.
Pending events are now stored in a memory-based queue rather than
a table. Also, a payload> string can be sent with each
event, rather than transmitting just an event name as before.
New implementation of
VACUUM FULL>.
This command now rewrites the entire table and indexes, rather than
moving individual rows to compact space. It is substantially faster
in most cases, and no longer results in index bloat.
New contrib module
pg_upgrade>
to support in-place upgrades from 8.3 or 8.4 to 9.0.
Multiple performance enhancements for specific types of queries,
including elimination of unnecessary joins. This helps optimize some
automatically-generated queries, such as those produced by
object-relational mappers (ORMs).
EXPLAIN> enhancements.
The output is now available in JSON, XML, or YAML format, and includes
buffer utilization and other data not previously available.
hstore> improvements,
including new functions and greater data capacity.
The above items are explained in more detail in the sections below.
Migration to Version 9.0
A dump/restore using pg_dump,
or use of pg_upgrade, is required
for those wishing to migrate data from any previous
release.
Version 9.0 contains a number of changes that selectively break backwards
compatibility in order to support new features and code quality
improvements. In particular, users who make extensive use of PL/pgSQL,
Point-In-Time Recovery (PITR), or Warm Standby should test their
applications because of slight user-visible changes in those areas.
Observe the following incompatibilities:
Server Settings
Remove server parameter add_missing_from>, which was
defaulted to off for many years (Tom Lane)
Remove server parameter regex_flavor>, which
was defaulted to advanced>
for many years (Tom Lane)
archive_mode>
now only affects archive_command>;
a new setting, wal_level>, affects
the contents of the write-ahead log (Heikki Linnakangas)
log_temp_files>
now uses default file size units of kilobytes (Robert Haas)
Queries
When querying a parent table,
do not do any separate permission checks on child tables
scanned as part of the query (Peter Eisentraut)
The SQL standard specifies this behavior, and it is also much more
convenient in practice than the former behavior of checking permissions
on each child as well as the parent.
Data Typesbytea> output now
appears in hex format by default (Peter Eisentraut)
The server parameter bytea_output> can be
used to select the traditional output format if needed for
compatibility.
Array input now considers only plain ASCII whitespace characters
to be potentially ignorable; it will never ignore non-ASCII characters,
even if they are whitespace according to some locales (Tom Lane)
This avoids some corner cases where array values could be interpreted
differently depending on the server's locale settings.
Improve standards compliance of SIMILAR TO>
patterns and SQL-style substring()> patterns (Tom Lane)
This includes treating ?> and {...}> as
pattern metacharacters, while they were simple literal characters
before; that corresponds to new features added in SQL:2008.
Also, ^> and $> are now treated as simple
literal characters; formerly they were treated as metacharacters,
as if the pattern were following POSIX rather than SQL rules.
Also, in SQL-standard substring()>, use of parentheses
for nesting no longer interferes with capturing of a substring.
Also, processing of bracket expressions (character classes) is
now more standards-compliant.
Reject negative length values in 3-parameter substring()>
for bit strings, per the SQL standard (Tom Lane)
Make date_trunc> truncate rather than round when reducing
precision of fractional seconds (Tom Lane)
The code always acted this way for integer-based dates/times.
Now float-based dates/times behave similarly.
Object Renaming
Tighten enforcement of column name consistency during RENAME>
when a child table inherits the same column from multiple unrelated
parents (KaiGai Kohei)
No longer automatically rename indexes and index columns when the
underlying table columns are renamed (Tom Lane)
Administrators can still rename such indexes and columns manually.
This change will require an update of the JDBC driver, and possibly other
drivers, so that unique indexes are correctly recognized after a rename.
CREATE OR REPLACE FUNCTION can no longer change
the declared names of function parameters (Pavel Stehule)
In order to avoid creating ambiguity in named-parameter calls, it is
no longer allowed to change the aliases for input parameters
in the declaration of an existing function (although names can still
be assigned to previously unnamed parameters). You now have to
DROP and recreate the function to do that.
PL/pgSQL
PL/pgSQL now throws an error if a variable name conflicts with a
column name used in a query (Tom Lane)
The former behavior was to bind ambiguous names to PL/pgSQL variables
in preference to query columns, which often resulted in surprising
misbehavior. Throwing an error allows easy detection of ambiguous
situations. Although it's recommended that functions encountering this
type of error be modified to remove the conflict, the old behavior can
be restored if necessary via the configuration parameter plpgsql.variable_conflict>,
or via the per-function option #variable_conflict>.
PL/pgSQL no longer allows variable names that match certain SQL
reserved words (Tom Lane)
This is a consequence of aligning the PL/pgSQL parser to match the
core SQL parser more closely. If necessary,
variable names can be double-quoted to avoid this restriction.
PL/pgSQL now requires columns of composite results to match the
expected type modifier as well as base type (Pavel Stehule, Tom Lane)
For example, if a column of the result type is declared as
NUMERIC(30,2)>, it is no longer acceptable to return a
NUMERIC> of some other precision in that column. Previous
versions neglected to check the type modifier and would thus allow
result rows that didn't actually conform to the declared restrictions.
PL/pgSQL now treats selection into composite fields more consistently
(Tom Lane)
Formerly, a statement like
SELECT ... INTO rec>.fld> FROM ...
was treated as a scalar assignment even if the record field
fld> was of composite type. Now it is treated as a
record assignment, the same as when the INTO> target is a
regular variable of composite type. So the values to be assigned to the
field's subfields should be written as separate columns of the
SELECT> list, not as a ROW(...)> construct as in
previous versions.
If you need to do this in a way that will work in both 9.0 and previous
releases, you can write something like
rec>.fld> := ROW(...) FROM ....
Remove PL/pgSQL's RENAME> declaration (Tom Lane)
Instead of RENAME>, use ALIAS>,
which can now create an alias for any variable, not only dollar sign
parameter names (such as $1>) as before.
Other Incompatibilities
Deprecate use of =>> as an operator name (Robert Haas)
Future versions of PostgreSQL> will probably reject
this operator name entirely, in order to support the SQL-standard
notation for named function parameters. For the moment, it is
still allowed, but a warning is emitted when such an operator is
defined.
Remove support for platforms that don't have a working 64-bit
integer data type (Tom Lane)
It is believed all still-supported platforms have working 64-bit
integer data types.
Changes
Version 9.0 has an unprecedented number of new major features,
and over 200 enhancements, improvements, new commands,
new functions, and other changes.
ServerContinuous Archiving and Streaming Replication
PostgreSQL's existing standby-server capability has been expanded both to
support read-only queries on standby servers and to greatly reduce
the lag between master and standby servers. For many users, this
will be a useful and low-administration form of replication, either
for high availability or for horizontal scalability.
Allow a standby server to accept read-only queries
(Simon Riggs, Heikki Linnakangas)
This feature is called Hot Standby. There are new
postgresql.conf> and recovery.conf>
settings to control this feature, as well as extensive
documentation.
Allow write-ahead log (WAL>) data to be streamed to a
standby server (Fujii Masao, Heikki Linnakangas)
This feature is called Streaming Replication.
Previously WAL> data could be sent to standby servers only
in units of entire WAL> files (normally 16 megabytes each).
Streaming Replication eliminates this inefficiency and allows updates
on the master to be propagated to standby servers with very little
delay. There are new postgresql.conf> and
recovery.conf> settings to control this feature, as well as
extensive documentation.
Add pg_last_xlog_receive_location()>
and pg_last_xlog_replay_location()>, which
can be used to monitor standby server WAL>
activity (Simon Riggs, Fujii Masao, Heikki Linnakangas)
Performance
Allow per-tablespace values to be set for sequential and random page
cost estimates (seq_page_cost>/random_page_cost>)
via ALTER TABLESPACE
... SET/RESET> (Robert Haas)
Improve performance and reliability of EvalPlanQual rechecks in join
queries (Tom Lane)
UPDATE>, DELETE>, and SELECT FOR
UPDATE/SHARE> queries that involve joins will now behave much better
when encountering freshly-updated rows.
Improve performance of TRUNCATE> when
the table was created or truncated earlier in the same transaction
(Tom Lane)
Improve performance of finding inheritance child tables (Tom Lane)
Optimizer
Remove unnecessary outer
joins (Robert Haas)
Outer joins where the inner side is unique and not referenced above
the join are unnecessary and are therefore now removed. This will
accelerate many automatically generated queries, such as those created
by object-relational mappers (ORMs).
Allow IS NOT NULL> restrictions to use indexes (Tom Lane)
This is particularly useful for finding
MAX()>/MIN()> values in indexes that
contain many null values.
Improve the optimizer's choices about when to use materialize nodes,
and when to use sorting versus hashing for DISTINCT>
(Tom Lane)
Improve the optimizer's equivalence detection for expressions involving
boolean> <>> operators (Tom Lane)
GEQO
Use the same random seed every time GEQO plans a query (Andres
Freund)
While the Genetic Query Optimizer (GEQO) still selects
random plans, it now always selects the same random plans for identical
queries, thus giving more consistent performance. You can modify geqo_seed> to experiment with
alternative plans.
Improve GEQO plan selection (Tom Lane)
This avoids the rare error failed to make a valid plan>,
and should also improve planning speed.
Optimizer Statistics
Improve ANALYZE>
to support inheritance-tree statistics (Tom Lane)
This is particularly useful for partitioned tables. However,
autovacuum does not yet automatically re-analyze parent tables
when child tables change.
Improve autovacuum's
detection of when re-analyze is necessary (Tom Lane)
Improve optimizer's estimation for greater/less-than comparisons
(Tom Lane)
When looking up statistics for greater/less-than comparisons,
if the comparison value is in the first or last histogram bucket,
use an index (if available) to fetch the current actual column
minimum or maximum. This greatly improves the accuracy of estimates
for comparison values near the ends of the data range, particularly
if the range is constantly changing due to addition of new data.
Allow setting of number-of-distinct-values statistics using ALTER TABLE>
(Robert Haas)
This allows users to override the estimated number or percentage of
distinct values for a column. This statistic is normally computed by
ANALYZE>, but the estimate can be poor, especially on tables
with very large numbers of rows.
Authentication
Add support for RADIUS> (Remote
Authentication Dial In User Service) authentication
(Magnus Hagander)
Allow LDAP>
(Lightweight Directory Access Protocol) authentication
to operate in search/bind> mode
(Robert Fleming, Magnus Hagander)
This allows the user to be looked up first, then the system uses
the DN> (Distinguished Name) returned for that user.
Add samehost>
and samenet> designations to
pg_hba.conf> (Stef Walter)
These match the server's IP> address and subnet address
respectively.
Pass trusted SSL root certificate names to the client so the client
can return an appropriate client certificate (Craig Ringer)
Monitoring
Add the ability for clients to set an application
name, which is displayed in
pg_stat_activity> (Dave Page)
This allows administrators to characterize database traffic
and troubleshoot problems by source application.
Add a SQLSTATE option (%e>) to log_line_prefix>
(Guillaume Smet)
This allows users to compile statistics on errors and messages
by error code number.
Write to the Windows event log in UTF16> encoding
(Itagaki Takahiro)
Now there is true multilingual support for PostgreSQL log messages
on Windows.
Statistics Counters
Add pg_stat_reset_shared('bgwriter')>
to reset the cluster-wide shared statistics for the
background writer (Greg Smith)
Add pg_stat_reset_single_table_counters()>
and pg_stat_reset_single_function_counters()>
to allow resetting the statistics counters for individual
tables and functions (Magnus Hagander)
Server Settings
Allow setting of configuration parameters based on database/role combinations
(Alvaro Herrera)
Previously only per-database and per-role settings were possible,
not combinations. All role and database settings are now stored
in the new pg_db_role_setting> system catalog. A new
psql> command \drds> shows these settings.
The legacy system views pg_roles>,
pg_shadow>, and pg_user>
do not show combination settings, and therefore no longer
completely represent the configuration for a user or database.
Add server parameter bonjour>, which
controls whether a Bonjour-enabled server advertises
itself via Bonjour> (Tom Lane)
The default is off, meaning it does not advertise. This allows
packagers to distribute Bonjour-enabled builds without worrying
that individual users might not want the feature.
Add server parameter enable_material>, which
controls the use of materialize nodes in the optimizer
(Robert Haas)
The default is on. When off, the optimizer will not add
materialize nodes purely for performance reasons, though they
will still be used when necessary for correctness.
Change server parameter log_temp_files> to
use default file size units of kilobytes (Robert Haas)
Previously this setting was interpreted in bytes if no units were
specified.
Log changes of parameter values when postgresql.conf> is
reloaded (Peter Eisentraut)
This lets administrators and security staff audit changes of database
settings, and is also very convenient for checking the effects of
postgresql.conf> edits.
Properly enforce superuser permissions for custom server parameters
(Tom Lane)
Non-superusers can no longer issue ALTER
ROLE>/DATABASE SET> for parameters that are not currently
known to the server. This allows the server to correctly check that
superuser-only parameters are only set by superusers. Previously,
the SET> would be allowed and then ignored at session start,
making superuser-only custom parameters much less useful than they
should be.
Queries
Perform SELECT
FOR UPDATE>/SHARE> processing after
applying LIMIT>, so the number of rows returned
is always predictable (Tom Lane)
Previously, changes made by concurrent transactions could cause a
SELECT FOR UPDATE> to unexpectedly return fewer rows than
specified by its LIMIT>. FOR UPDATE> in combination
with ORDER BY> can still produce surprising results, but that
can be corrected by placing FOR UPDATE> in a subquery.
Allow mixing of traditional and SQL-standard LIMIT>/OFFSET>
syntax (Tom Lane)
Extend the supported frame options in window functions (Hitoshi
Harada)
Frames can now start with CURRENT ROW>, and the ROWS
n> PRECEDING>/FOLLOWING> options are now
supported.
Make SELECT INTO> and CREATE TABLE AS> return
row counts to the client in their command tags
(Boszormenyi Zoltan)
This can save an entire round-trip to the client, allowing result counts
and pagination to be calculated without an additional
COUNT query.
Unicode Strings
Support Unicode surrogate pairs (dual 16-bit representation) in
U&>
strings and identifiers (Peter Eisentraut)
Support Unicode escapes in E'...'>
strings (Marko Kreen)
Object Manipulation
Speed up CREATE
DATABASE> by deferring flushes to disk (Andres
Freund, Greg Stark)
Allow comments on
columns of tables, views, and composite types only, not other
relation types such as indexes and TOAST> tables (Tom Lane)
Allow the creation of enumerated types containing
no values (Bruce Momjian)
Let values of columns having storage type MAIN> remain on
the main heap page unless the row cannot fit on a page (Kevin Grittner)
Previously MAIN> values were forced out to TOAST>
tables until the row size was less than one-quarter of the page size.
ALTER TABLE>
Implement IF EXISTS> for ALTER TABLE DROP COLUMN>
and ALTER TABLE DROP CONSTRAINT > (Andres Freund)
Allow ALTER TABLE> commands that rewrite tables to skip
WAL> logging (Itagaki Takahiro)
Such operations either produce a new copy of the table or are rolled
back, so WAL> archiving can be skipped, unless running in
continuous archiving mode. This reduces I/O overhead and improves
performance.
Fix failure of ALTER TABLE table> ADD COLUMN
col> serial when done by non-owner of table
(Tom Lane)
CREATE TABLE>
Add support for copying COMMENTS> and STORAGE>
settings in CREATE TABLE ... LIKE> commands
(Itagaki Takahiro)
Add a shortcut for copying all properties in CREATE
TABLE ... LIKE> commands (Itagaki Takahiro)
Add the SQL-standard
CREATE TABLE ... OF type> command
(Peter Eisentraut)
This allows creation of a table that matches an existing composite
type. Additional constraints and defaults can be specified in the
command.
Constraints
Add deferrable
unique constraints (Dean Rasheed)
This allows mass updates, such as
UPDATE tab SET col = col + 1>,
to work reliably
on columns that have unique indexes or are marked as primary keys.
If the constraint is specified as DEFERRABLE> it will be
checked at the end of the statement, rather than after each row is
updated. The constraint check can also be deferred until the end of the
current transaction, allowing such updates to be spread over multiple
SQL commands.
Add
exclusion constraints
(Jeff Davis)
Exclusion constraints generalize uniqueness constraints by allowing
arbitrary comparison operators, not just equality. They are created
with the CREATE
TABLE CONSTRAINT ... EXCLUDE> clause.
The most common use of exclusion constraints is to specify that column
entries must not overlap, rather than simply not be equal. This is
useful for time periods and other ranges, as well as arrays.
This feature enhances checking of data integrity for many
calendaring, time-management, and scientific applications.
Improve uniqueness-constraint violation error messages to
report the values causing the failure (Itagaki Takahiro)
For example, a uniqueness constraint violation might now report
Key (x)=(2) already exists>.
Object Permissions
Add the ability to make mass permission changes across a whole
schema using the new GRANT>/REVOKE
IN SCHEMA> clause (Petr Jelinek)
This simplifies management of object permissions
and makes it easier to utilize database roles for application
data security.
Add ALTER
DEFAULT PRIVILEGES> command to control privileges
of objects created later (Petr Jelinek)
This greatly simplifies the assignment of object privileges in a
complex database application. Default privileges can be set for
tables, views, sequences, and functions. Defaults may be assigned on a
per-schema basis, or database-wide.
Add the ability to control large object (BLOB) permissions with
GRANT>/REVOKE> (KaiGai Kohei)
Formerly, any database user could read or modify any large object.
Read and write permissions can now be granted and revoked per
large object, and the ownership of large objects is tracked.
Utility Operations
Make LISTEN>/NOTIFY> store pending events
in a memory queue, rather than in a system table (Joachim
Wieland)
This substantially improves performance, while retaining the existing
features of transactional support and guaranteed delivery.
Allow NOTIFY>
to pass an optional payload> string to listeners
(Joachim Wieland)
This greatly improves the usefulness of
LISTEN>/NOTIFY> as a
general-purpose event queue system.
Allow CLUSTER>
on all per-database system catalogs (Tom Lane)
Shared catalogs still cannot be clustered.
COPY>
Accept COPY ... CSV FORCE QUOTE *>
(Itagaki Takahiro)
Now *> can be used as shorthand for all columns>
in the FORCE QUOTE> clause.
Add new COPY> syntax that allows options to be
specified inside parentheses (Robert Haas, Emmanuel Cecchet)
This allows greater flexibility for future COPY> options.
The old syntax is still supported, but only for pre-existing options.
EXPLAIN>
Allow EXPLAIN> to output in XML>,
JSON>, or YAML> format (Robert Haas, Greg
Sabino Mullane)
The new output formats are easily machine-readable, supporting the
development of new tools for analysis of EXPLAIN> output.
Add new BUFFERS> option to report query
buffer usage during EXPLAIN ANALYZE> (Itagaki Takahiro)
This allows better query profiling for individual queries.
Buffer usage is no longer reported in the output for log_statement_stats
and related settings.
Add hash usage information to EXPLAIN> output (Robert
Haas)
Add new EXPLAIN> syntax that allows options to be
specified inside parentheses (Robert Haas)
This allows greater flexibility for future EXPLAIN> options.
The old syntax is still supported, but only for pre-existing options.
VACUUM>
Change VACUUM FULL> to rewrite the entire table and
rebuild its indexes, rather than moving individual rows around to
compact space (Itagaki Takahiro, Tom Lane)
The previous method was usually slower and caused index bloat.
Note that the new method will use more disk space transiently
during VACUUM FULL>; potentially as much as twice
the space normally occupied by the table and its indexes.
Add new VACUUM> syntax that allows options to be
specified inside parentheses (Itagaki Takahiro)
This allows greater flexibility for future VACUUM> options.
The old syntax is still supported, but only for pre-existing options.
Indexes
Allow an index to be named automatically by omitting the index name in
CREATE INDEX>
(Tom Lane)
By default, multicolumn indexes are now named after all their columns;
and index expression columns are now named based on their expressions
(Tom Lane)
Reindexing shared system catalogs is now fully transactional
and crash-safe (Tom Lane)
Formerly, reindexing a shared index was only allowed in standalone
mode, and a crash during the operation could leave the index in
worse condition than it was before.
Add point_ops> operator class for GiST>
(Teodor Sigaev)
This feature permits GiST> indexing of point>
columns. The index can be used for several types of queries
such as point> <@> polygon>
(point is in polygon). This should make many
PostGIS> queries faster.
Use red-black binary trees for GIN> index creation
(Teodor Sigaev)
Red-black trees are self-balancing. This avoids slowdowns in
cases where the input is in nonrandom order.
Data Types
Allow bytea> values
to be written in hex notation (Peter Eisentraut)
The server parameter bytea_output> controls
whether hex or traditional format is used for bytea>
output. Libpq's PQescapeByteaConn()> function automatically
uses the hex format when connected to PostgreSQL> 9.0
or newer servers. However, pre-9.0 libpq versions will not
correctly process hex format from newer servers.
The new hex format will be directly compatible with more applications
that use binary data, allowing them to store and retrieve it without
extra conversion. It is also significantly faster to read and write
than the traditional format.
Allow server parameter extra_float_digits
to be increased to 3> (Tom Lane)
The previous maximum extra_float_digits> setting was
2>. There are cases where 3 digits are needed to dump and
restore float4> values exactly. pg_dump> will
now use the setting of 3 when dumping from a server that allows it.
Tighten input checking for int2vector> values (Caleb
Welton)
Full Text Search
Add prefix support in synonym> dictionaries
(Teodor Sigaev)
Add filtering> dictionaries (Teodor Sigaev)
Filtering dictionaries allow tokens to be modified then passed to
subsequent dictionaries.
Allow underscores in email-address tokens (Teodor Sigaev)
Use more standards-compliant rules for parsing URL> tokens
(Tom Lane)
Functions
Allow function calls to supply parameter names and match them to named
parameters in the function definition (Pavel Stehule)
For example, if a function is defined to take parameters a>
and b>, it can be called with func(a := 7, b
:= 12)> or func(b := 12, a := 7)>.
Support locale-specific regular expression
processing with UTF-8> server encoding (Tom Lane)
Locale-specific regular expression functionality includes
case-insensitive matching and locale-specific character classes.
Previously, these features worked correctly for non-ASCII>
characters only if the database used a single-byte server encoding (such
as LATIN1). They will still misbehave in multi-byte encodings other
than UTF-8>.
Add support for scientific notation in to_char()>
(EEEE>
specification)
(Pavel Stehule, Brendan Jurd)
Make to_char()> honor FM>
(fill mode) in Y>, YY>, and
YYY> specifications (Bruce Momjian, Tom Lane)
It was already honored by YYYY>.
Fix to_char()> to output localized numeric and monetary
strings in the correct encoding on Windows>
(Hiroshi Inoue, Itagaki Takahiro, Bruce Momjian)
Correct calculations of overlaps
and contains operations for polygons (Teodor Sigaev)
The polygon &&> (overlaps) operator formerly just
checked to see if the two polygons' bounding boxes overlapped. It now
does a more correct check. The polygon @>> and
<@> (contains/contained by) operators formerly checked
to see if one polygon's vertexes were all contained in the other;
this can wrongly report true> for some non-convex polygons.
Now they check that all line segments of one polygon are contained in
the other.
Aggregates
Allow aggregate functions to use ORDER BY> (Andrew Gierth)
For example, this is now supported: array_agg(a ORDER BY
b)>. This is useful with aggregates for which the order of input
values is significant, and eliminates the need to use a nonstandard
subquery to determine the ordering.
Multi-argument aggregate functions can now use DISTINCT>
(Andrew Gierth)
Add the string_agg()>
aggregate function to combine values into a single
string (Pavel Stehule)
Aggregate functions that are called with DISTINCT> are
now passed NULL values if the aggregate transition function is
not marked as STRICT> (Andrew Gierth)
For example, agg(DISTINCT x)> might pass a NULL x>
value to agg()>. This is more consistent with the behavior
in non-DISTINCT> cases.
Bit Strings
Add get_bit()>
and set_bit()> functions for bit>
strings, mirroring those for bytea> (Leonardo
F)
Implement OVERLAY()>
(replace) for bit> strings and bytea>
(Leonardo F)
Object Information Functions
Add pg_table_size()>
and pg_indexes_size()> to provide a more
user-friendly interface to the pg_relation_size()>
function (Bernd Helmle)
Add has_sequence_privilege()>
for sequence permission checking (Abhijit Menon-Sen)
Update the information_schema
views to conform to SQL:2008
(Peter Eisentraut)
Make the information_schema> views correctly display maximum
octet lengths for char> and varchar> columns (Peter
Eisentraut)
Speed up information_schema> privilege views
(Joachim Wieland)
Function and Trigger Creation
Support execution of anonymous code blocks using the DO> statement
(Petr Jelinek, Joshua Tolley, Hannu Valtonen)
This allows execution of server-side code without the need to create
and delete a temporary function definition. Code can be executed in
any language for which the user has permissions to define a function.
Implement SQL-standard-compliant per-column triggers
(Itagaki Takahiro)
Such triggers are fired only when the specified column(s) are affected
by the query, e.g. appear in an UPDATE>'s SET>
list.
Add the WHEN> clause to CREATE TRIGGER>
to allow control over whether a trigger is fired (Itagaki
Takahiro)
While the same type of check can always be performed inside the
trigger, doing it in an external WHEN> clause can have
performance benefits.
Server-Side Languages
Add the OR REPLACE> clause to CREATE LANGUAGE>
(Tom Lane)
This is helpful to optionally install a language if it does not
already exist, and is particularly helpful now that PL/pgSQL is
installed by default.
PL/pgSQL Server-Side
Language
Install PL/pgSQL by default (Bruce Momjian)
The language can still be removed from a particular database if the
administrator has security or performance concerns about making it
available.
Improve handling of cases where PL/pgSQL variable names conflict with
identifiers used in queries within a function
(Tom Lane)
The default behavior is now to throw an error when there is a conflict,
so as to avoid surprising behaviors. This can be modified, via the
configuration parameter plpgsql.variable_conflict>
or the per-function option #variable_conflict>, to allow
either the variable or the query-supplied column to be used. In any
case PL/pgSQL will no longer attempt to substitute variables in places
where they would not be syntactically valid.
Make PL/pgSQL use the main lexer, rather than its own version
(Tom Lane)
This ensures accurate tracking of the main system's behavior for details
such as string escaping. Some user-visible details, such as the set
of keywords considered reserved in PL/pgSQL, have changed in
consequence.
Avoid throwing an unnecessary error for an invalid record reference
(Tom Lane)
An error is now thrown only if the reference is actually fetched,
rather than whenever the enclosing expression is reached. For
example, many people have tried to do this in triggers:
if TG_OP = 'INSERT' and NEW.col1 = ... then
This will now actually work as expected.
Improve PL/pgSQL's ability to handle row types with dropped columns
(Pavel Stehule)
Allow input parameters to be assigned values within
PL/pgSQL functions (Steve Prentice)
Formerly, input parameters were treated as being declared
CONST>, so the function's code could not change their
values. This restriction has been removed to simplify
porting of functions from other DBMSes that do not impose the
equivalent restriction. An input parameter now acts like a local
variable initialized to the passed-in value.
Improve error location reporting in PL/pgSQL (Tom Lane)
Add count> and ALL> options to MOVE
FORWARD>/BACKWARD> in PL/pgSQL (Pavel Stehule)
Allow PL/pgSQL's WHERE CURRENT OF> to use a cursor
variable (Tom Lane)
Allow PL/pgSQL's OPEN cursor> FOR EXECUTE> to
use parameters (Pavel Stehule, Itagaki Takahiro)
This is accomplished with a new USING> clause.
PL/Perl Server-Side Language
Add new PL/Perl functions: quote_literal()>,
quote_nullable()>, quote_ident()>,
encode_bytea()>, decode_bytea()>,
looks_like_number()>,
encode_array_literal()>,
encode_array_constructor()> (Tim Bunce)
Add server parameter plperl.on_init> to
specify a PL/Perl initialization function (Tim
Bunce)
plperl.on_plperl_init>
and plperl.on_plperlu_init>
are also available for initialization that is specific to the trusted
or untrusted language respectively.
Support END> blocks in PL/Perl (Tim Bunce)
END> blocks do not currently allow database access.
Allow use strict> in PL/Perl (Tim Bunce)
Perl strict> checks can also be globally enabled with the
new server parameter plperl.use_strict>.
Allow require> in PL/Perl (Tim Bunce)
This basically tests to see if the module is loaded, and if not,
generates an error. It will not allow loading of modules that
the administrator has not preloaded via the initialization parameters.
Allow use feature> in PL/Perl if Perl version 5.10 or
later is used (Tim Bunce)
Verify that PL/Perl return values are valid in the server encoding
(Andrew Dunstan)
PL/Python Server-Side Language
Add Unicode support in PL/Python (Peter Eisentraut)
Strings are automatically converted from/to the server encoding as
necessary.
Improve bytea> support in PL/Python (Caleb Welton)
Bytea> values passed into PL/Python are now represented as
binary, rather than the PostgreSQL bytea> text format.
Bytea> values containing null bytes are now also output
properly from PL/Python. Passing of boolean, integer, and float
values was also improved.
Support arrays as parameters and
return values in PL/Python (Peter Eisentraut)
Improve mapping of SQL domains to Python types (Peter Eisentraut)
Add Python> 3 support to PL/Python (Peter Eisentraut)
The new server-side language is called plpython3u>. This
cannot be used in the same session with the
Python> 2 server-side language.
Improve error location and exception reporting in PL/Python (Peter Eisentraut)
Client Applications
Add an psql>
Add support for quoting/escaping the values of psql>
variables as SQL strings or
identifiers (Pavel Stehule, Robert Haas)
For example, :'var'> will produce the value of
var> quoted and properly escaped as a literal string, while
:"var"> will produce its value quoted and escaped as an
identifier.
Ignore a leading UTF-8-encoded Unicode byte-order marker in
script files read by psql> (Itagaki Takahiro)
This is enabled when the client encoding is UTF-8>.
It improves compatibility with certain editors, mostly on Windows,
that insist on inserting such markers.
Fix psql --file -> to properly honor
Avoid overwriting of psql>'s command-line history when
two psql> sessions are run concurrently (Tom Lane)
Improve psql>'s tab completion support (Itagaki
Takahiro)
Show \timing> output when it is enabled, regardless of
quiet> mode (Peter Eisentraut)
psql> Display
Improve display of wrapped columns in psql> (Roger
Leigh)
This behavior is now the default.
The previous formatting is available by using \pset linestyle
old-ascii>.
Allow psql> to use fancy Unicode line-drawing
characters via \pset linestyle unicode> (Roger Leigh)
psql> \d>
Commands
Make \d> show child tables that inherit from the specified
parent (Damien Clochard)
\d> shows only the number of child tables, while
\d+> shows the names of all child tables.
Show definitions of index columns in \d index_name>
(Khee Chin)
The definition is useful for expression indexes.
Show a view's defining query only in
\d+>, not in \d> (Peter Eisentraut)
Always including the query was deemed overly verbose.
pg_dump>
Make pg_dump>/pg_restore>
Fix pg_dump> to properly dump large objects when
standard_conforming_strings> is enabled (Tom Lane)
The previous coding could fail when dumping to an archive file
and then generating script output from pg_restore>.
pg_restore> now emits large-object data in hex format
when generating script output (Tom Lane)
This could cause compatibility problems if the script is then
loaded into a pre-9.0 server. To work around that, restore
directly to the server, instead.
Allow pg_dump> to dump comments attached to columns
of composite types (Taro Minowa (Higepon))
Make pg_dump>
These were already provided in custom output mode.
pg_restore> now complains if any command-line arguments
remain after the switches and optional file name (Tom Lane)
Previously, it silently ignored any such arguments.
pg_ctl>
Allow pg_ctl> to be used safely to start the
postmaster> during a system reboot (Tom Lane)
Previously, pg_ctl>'s parent process could have been
mistakenly identified as a running postmaster> based on
a stale postmaster> lock file, resulting in a transient
failure to start the database.
Give pg_ctl> the ability to initialize the database
(by invoking initdb>) (Zdenek Kotala)
Development Tools>libpq>
Add new libpq> functions
PQconnectdbParams()>
and PQconnectStartParams()> (Guillaume
Lelarge)
These functions are similar to PQconnectdb()> and
PQconnectStart()> except that they accept a null-terminated
array of connection options, rather than requiring all options to
be provided in a single string.
Add libpq> functions PQescapeLiteral()>
and PQescapeIdentifier()> (Robert Haas)
These functions return appropriately quoted and escaped SQL string
literals and identifiers. The caller is not required to pre-allocate
the string result, as is required by PQescapeStringConn()>.
Add support for a per-user service file (.pg_service.conf>),
which is checked before the site-wide service file
(Peter Eisentraut)
Properly report an error if the specified libpq> service
cannot be found (Peter Eisentraut)
Add TCP keepalive settings
in libpq (Tollef Fog Heen, Fujii Masao, Robert Haas)
Keepalive settings were already supported on the server end of
TCP connections.
Avoid extra system calls to block and unblock SIGPIPE>
in libpq>, on platforms that offer alternative methods
(Jeremy Kerr)
When a .pgpass>-supplied
password fails, mention where the password came from in the error
message (Bruce Momjian)
Load all SSL certificates given in the client certificate file
(Tom Lane)
This improves support for indirectly-signed SSL certificates.
ecpg>
Add SQLDA>
(SQL Descriptor Area) support to ecpg>
(Boszormenyi Zoltan)
Add the DESCRIBE>
[ OUTPUT> ] statement to ecpg>
(Boszormenyi Zoltan)
Add an ECPGtransactionStatus
function to return the current transaction status (Bernd Helmle)
Add the string> data type in ecpg>
Informix-compatibility mode (Boszormenyi Zoltan)
Allow ecpg> to use new> and old>
variable names without restriction (Michael Meskes)
Allow ecpg> to use variable names in
free()> (Michael Meskes)
Make ecpg_dynamic_type()> return zero for non-SQL3 data
types (Michael Meskes)
Previously it returned the negative of the data type OID.
This could be confused with valid type OIDs, however.
Support long long> types on platforms that already have 64-bit
long> (Michael Meskes)
ecpg> Cursors
Add out-of-scope cursor support in ecpg>'s native mode
(Boszormenyi Zoltan)
This allows DECLARE> to use variables that are not in
scope when OPEN> is called. This facility already existed
in ecpg>'s Informix-compatibility mode.
Allow dynamic cursor names in ecpg> (Boszormenyi Zoltan)
Allow ecpg> to use noise words FROM> and
IN> in FETCH> and MOVE> (Boszormenyi
Zoltan)
Build Options
Enable client thread safety by default (Bruce Momjian)
The thread-safety option can be disabled with configure>
Add support for controlling the Linux out-of-memory killer
(Alex Hunsaker, Tom Lane)
Now that /proc/self/oom_adj> allows disabling
of the Linux> out-of-memory (OOM>)
killer, it's recommendable to disable OOM kills for the postmaster.
It may then be desirable to re-enable OOM kills for the postmaster's
child processes. The new compile-time option LINUX_OOM_ADJ>
allows the killer to be reactivated for child processes.
Makefiles
New Makefile> targets world>,
install-world>, and installcheck-world>
(Andrew Dunstan)
These are similar to the existing all>, install>,
and installcheck> targets, but they also build the
HTML> documentation, build and test contrib>,
and test server-side languages and ecpg>.
Add data and documentation installation location control to
PGXS> Makefiles (Mark Cave-Ayland)
Add Makefile rules to build the PostgreSQL> documentation
as a single HTML> file or as a single plain-text file
(Peter Eisentraut, Bruce Momjian)
Windows
Support compiling on 64-bit
Windows> and running in 64-bit
mode (Tsutomu Yamada, Magnus Hagander)
This allows for large shared memory sizes on Windows>.
Support server builds using Visual Studio
2008> (Magnus Hagander)
Source Code
Distribute prebuilt documentation in a subdirectory tree, rather than
as tar archive files inside the distribution tarball
(Peter Eisentraut)
For example, the prebuilt HTML> documentation is now in
doc/src/sgml/html/>; the manual pages are packaged
similarly.
Make the server's lexer reentrant (Tom Lane)
This was needed for use of the lexer by PL/pgSQL.
Improve speed of memory allocation (Tom Lane, Greg Stark)
User-defined constraint triggers now have entries in
pg_constraint> as well as pg_trigger>
(Tom Lane)
Because of this change,
pg_constraint>.pgconstrname> is now
redundant and has been removed.
Add system catalog columns
pg_constraint>.conindid> and
pg_trigger>.tgconstrindid>
to better document the use of indexes for constraint
enforcement (Tom Lane)
Allow multiple conditions to be communicated to backends using a single
operating system signal (Fujii Masao)
This allows new features to be added without a platform-specific
constraint on the number of signal conditions.
Improve source code test coverage, including contrib>, PL/Python,
and PL/Perl (Peter Eisentraut, Andrew Dunstan)
Remove the use of flat files for system table bootstrapping
(Tom Lane, Alvaro Herrera)
This improves performance when using many roles or
databases, and eliminates some possible failure conditions.
Automatically generate the initial contents of
pg_attribute> for bootstrapped> catalogs
(John Naylor)
This greatly simplifies changes to these catalogs.
Split the processing of
INSERT>/UPDATE>/DELETE> operations out
of execMain.c> (Marko Tiikkaja)
Updates are now executed in a separate ModifyTable node. This change is
necessary infrastructure for future improvements.
Simplify translation of psql>'s SQL help text
(Peter Eisentraut)
Reduce the lengths of some file names so that all file paths in the
distribution tarball are less than 100 characters (Tom Lane)
Some decompression programs have problems with longer file paths.
Add a new ERRCODE_INVALID_PASSWORD>
SQLSTATE> error code (Bruce Momjian)
With authors' permissions, remove the few remaining personal source code
copyright notices (Bruce Momjian)
The personal copyright notices were insignificant but the community
occasionally had to answer questions about them.
Add new documentation section
about running PostgreSQL> in non-durable mode
to improve performance (Bruce Momjian)
Restructure the HTML> documentation
Makefile> rules to make their dependency checks work
correctly, avoiding unnecessary rebuilds (Peter Eisentraut)
Use DocBook> XSL> stylesheets for man page
building, rather than Docbook2X> (Peter Eisentraut)
This changes the set of tools needed to build the man pages.
Improve PL/Perl code structure (Tim Bunce)
Improve error context reports in PL/Perl (Alexey Klyukin)
New Build Requirements
Note that these requirements do not apply when building from a
distribution tarball, since tarballs include the files that these
programs are used to build.
Require Autoconf> 2.63 to build
configure> (Peter Eisentraut)
Require Flex> 2.5.31 or later to build
from a CVS> checkout (Tom Lane)
Require Perl> version 5.8 or later to build
from a CVS> checkout (John Naylor, Andrew Dunstan)
Portability
Use a more modern API> for Bonjour> (Tom Lane)
Bonjour support now requires macOS> 10.3 or later.
The older API has been deprecated by Apple.
Add spinlock support for the SuperH>
architecture (Nobuhiro Iwamatsu)
Allow non-GCC> compilers to use inline functions if
they support them (Kurt Harriman)
Remove support for platforms that don't have a working 64-bit
integer data type (Tom Lane)
Restructure use of LDFLAGS> to be more consistent
across platforms (Tom Lane)
LDFLAGS> is now used for linking both executables and shared
libraries, and we add on LDFLAGS_EX> when linking
executables, or LDFLAGS_SL> when linking shared libraries.
Server Programming
Make backend header files safe to include in C++>
(Kurt Harriman, Peter Eisentraut)
These changes remove keyword conflicts that previously made
C++> usage difficult in backend code. However, there
are still other complexities when using C++> for backend
functions. extern "C" { }> is still necessary in
appropriate places, and memory management and error handling are
still problematic.
Add AggCheckCallContext()>
for use in detecting if a C> function is
being called as an aggregate (Hitoshi Harada)
Change calling convention for SearchSysCache()> and related
functions to avoid hard-wiring the maximum number of cache keys
(Robert Haas)
Existing calls will still work for the moment, but can be expected to
break in 9.1 or later if not converted to the new style.
Require calls of fastgetattr()> and
heap_getattr()> backend macros to provide a non-NULL fourth
argument (Robert Haas)
Custom typanalyze functions should no longer rely on
VacAttrStats>.attr> to determine the type
of data they will be passed (Tom Lane)
This was changed to allow collection of statistics on index columns
for which the storage type is different from the underlying column
data type. There are new fields that tell the actual datatype being
analyzed.
Server Hooks
Add parser hooks for processing ColumnRef and ParamRef nodes
(Tom Lane)
Add a ProcessUtility hook so loadable modules can control utility
commands (Itagaki Takahiro)
Binary Upgrade Support
Add contrib/pg_upgrade>
to support in-place upgrades (Bruce Momjian)
This avoids the requirement of dumping/reloading the database when
upgrading to a new major release of PostgreSQL, thus reducing downtime
by orders of magnitude. It supports upgrades to 9.0
from PostgreSQL 8.3 and 8.4.
Add support for preserving relation relfilenode> values
during binary upgrades (Bruce Momjian)
Add support for preserving pg_type>
and pg_enum> OIDs during binary upgrades
(Bruce Momjian)
Move data files within tablespaces into
PostgreSQL>-version-specific subdirectories
(Bruce Momjian)
This simplifies binary upgrades.
Contrib
Add multithreading option (
This allows multiple CPU>s to be used by pgbench,
reducing the risk of pgbench itself becoming the test bottleneck.
Add \shell> and \setshell> meta
commands to contrib/pgbench>
(Michael Paquier)
New features for contrib/dict_xsyn>
(Sergey Karpov)
The new options are matchorig>, matchsynonyms>,
and keepsynonyms>.
Add full text dictionary contrib/unaccent>
(Teodor Sigaev)
This filtering dictionary removes accents from letters, which
makes full-text searches over multiple languages much easier.
Add dblink_get_notify()>
to contrib/dblink> (Marcus Kempe)
This allows asynchronous notifications in dblink>.
Improve contrib/dblink>'s handling of dropped columns
(Tom Lane)
This affects dblink_build_sql_insert()>
and related functions. These functions now number columns according
to logical not physical column numbers.
Greatly increase contrib/hstore>'s data
length limit, and add B-tree and hash support so GROUP
BY> and DISTINCT> operations are possible on
hstore> columns (Andrew Gierth)
New functions and operators were also added. These improvements
make hstore> a full-function key-value store embedded in
PostgreSQL>.
Add contrib/passwordcheck>
to support site-specific password strength policies (Laurenz
Albe)
The source code of this module should be modified to implement
site-specific password policies.
Add contrib/pg_archivecleanup>
tool (Simon Riggs)
This is designed to be used in the
archive_cleanup_command
server parameter, to remove no-longer-needed archive files.
Add query text to contrib/auto_explain>
output (Andrew Dunstan)
Add buffer access counters to contrib/pg_stat_statements>
(Itagaki Takahiro)
Update contrib/start-scripts/linux>
to use /proc/self/oom_adj> to disable the
Linux>
out-of-memory (OOM>) killer (Alex
Hunsaker, Tom Lane)