2016-08-11 This release contains a variety of fixes from 9.3.13. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading from a version earlier than 9.3.9, see . Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane) A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423) Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier) Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout. Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation. Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts. pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet. These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424) Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane) The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW(NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW(NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly. Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane) Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates (Tom Lane) Make it return NULL instead of crashing. Avoid possible crash in pg_get_expr() when inconsistent values are passed to it (Michael Paquier, Thomas Munro) Fix several one-byte buffer over-reads in to_number() (Peter Eisentraut) In several cases the to_number() function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory. Do not run the planner on the query contained in CREATE MATERIALIZED VIEW or CREATE TABLE AS when WITH NO DATA is specified (Michael Paquier, Tom Lane) This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet. Avoid unsafe intermediate state during expensive paths through heap_update() (Masahiko Sawada, Andres Freund) Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed. Fix hint bit update during WAL replay of row locking operations (Andres Freund) The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart. Avoid unnecessary could not serialize access errors when acquiring FOR KEY SHARE row locks in serializable mode (Álvaro Herrera) Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier) Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane) The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled. Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra) Avoid consuming a transaction ID during VACUUM (Alexander Korotkov) Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing. Avoid canceling hot-standby queries during VACUUM FREEZE (Simon Riggs, Álvaro Herrera) VACUUM FREEZE on an otherwise-idle master server could result in unnecessary cancellations of queries on its standby servers. Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Álvaro Herrera) The usual symptom of this bug is errors like MultiXactId NNN has not been created yet -- apparent wraparound. When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane) If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns. Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane) The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries. Prevent autovacuum from starting multiple workers for the same shared catalog (Álvaro Herrera) Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables. Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane) Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut) Teach libpq to correctly decode server version from future servers (Peter Eisentraut) It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion() returns the correct value for such cases. Fix ecpg's code for unsigned long long array elements (Michael Meskes) In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane) Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane) Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a CREATE INDEX. Fix error reporting in parallel pg_dump and pg_restore (Tom Lane) Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message. Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi) Previously, it would report the error, but then just sit until manually stopped by the user. Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi) It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases. Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao) Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch) Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi) Be more predictable about reporting statement timeout versus lock timeout (Tom Lane) On heavily loaded machines, the regression tests sometimes failed due to reporting lock timeout even though the statement timeout should have occurred first. Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane) Change some test data that triggered the unusual sorting rules of these locales. Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane) This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones. Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco. 2016-05-12 This release contains a variety of fixes from 9.3.12. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading from a version earlier than 9.3.9, see . Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut) This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection. Fix failed to build any N-way joins planner error with a full join enclosed in the right-hand side of a left join (Tom Lane) Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane) Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time. Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane) These could advance off the end of the input string, causing subsequent format codes to read garbage. Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane) Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane) This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines. Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane) In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore. Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane) pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules. Back-port 9.4-era memory-barrier code changes into 9.2 and 9.3 (Tom Lane) These changes were not originally needed in pre-9.4 branches, but we recently back-patched a fix that expected the barrier code to work properly. Only IA64 (when using icc), HPPA, and Alpha platforms are affected. Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane) Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro) Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane) Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich) Fix putenv() to work properly with Visual Studio 2013 (Michael Paquier) Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich) Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful. Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions. 2016-03-31 This release contains a variety of fixes from 9.3.11. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading from a version earlier than 9.3.9, see . Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane) An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a. Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund) Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes) Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane) Fix parsing of affix files for ispell dictionaries (Tom Lane) The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales. Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov) This dodges a portability problem on FreeBSD-derived platforms (including macOS). Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich) This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version. Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas) Fix psql's tab completion for SECURITY LABEL (Tom Lane) Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords. Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch) This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown. Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar) The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards. Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane) In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian) Blind application of the script in such cases would result in loss of the new data directory. In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker) Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby) Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane) Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan) Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd). 2016-02-11 This release contains a variety of fixes from 9.3.10. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading from a version earlier than 9.3.9, see . Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane) Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) Perform an immediate shutdown if the postmaster.pid file is removed (Tom Lane) The postmaster now checks every minute or so that postmaster.pid is still there and still contains its own PID. If not, it performs an immediate shutdown, as though it had received SIGQUIT. The main motivation for this change is to ensure that failed buildfarm runs will get cleaned up without manual intervention; but it also serves to limit the bad effects if a DBA forcibly removes postmaster.pid and then starts a new postmaster. In SERIALIZABLE transaction isolation mode, serialization anomalies could be missed due to race conditions during insertions (Kevin Grittner, Thomas Munro) Fix failure to emit appropriate WAL records when doing ALTER TABLE ... SET TABLESPACE for unlogged relations (Michael Paquier, Andres Freund) Even though the relation's data is unlogged, the move must be logged or the relation will be inaccessible after a standby is promoted to master. Fix possible misinitialization of unlogged relations at the end of crash recovery (Andres Freund, Michael Paquier) Ensure walsender slots are fully re-initialized when being re-used (Magnus Hagander) Fix ALTER COLUMN TYPE to reconstruct inherited check constraints properly (Tom Lane) Fix REASSIGN OWNED to change ownership of composite types properly (Álvaro Herrera) Fix REASSIGN OWNED and ALTER OWNER to correctly update granted-permissions lists when changing owners of data types, foreign data wrappers, or foreign servers (Bruce Momjian, Álvaro Herrera) Fix REASSIGN OWNED to ignore foreign user mappings, rather than fail (Álvaro Herrera) Fix possible crash after doing query rewrite for an updatable view (Stephen Frost) Fix planner's handling of LATERAL references (Tom Lane) This fixes some corner cases that led to failed to build any N-way joins or could not devise a query plan planner failures. Add more defenses against bad planner cost estimates for GIN index scans when the index's internal statistics are very out-of-date (Tom Lane) Make planner cope with hypothetical GIN indexes suggested by an index advisor plug-in (Julien Rouhaud) Speed up generation of unique table aliases in EXPLAIN and rule dumping, and ensure that generated aliases do not exceed NAMEDATALEN (Tom Lane) Fix dumping of whole-row Vars in ROW() and VALUES() lists (Tom Lane) Fix possible internal overflow in numeric division (Dean Rasheed) Fix enforcement of restrictions inside parentheses within regular expression lookahead constraints (Tom Lane) Lookahead constraints aren't allowed to contain backrefs, and parentheses within them are always considered non-capturing, according to the manual. However, the code failed to handle these cases properly inside a parenthesized subexpression, and would give unexpected results. Conversion of regular expressions to indexscan bounds could produce incorrect bounds from regexps containing lookahead constraints (Tom Lane) Fix regular-expression compiler to handle loops of constraint arcs (Tom Lane) The code added for CVE-2007-4772 was both incomplete, in that it didn't handle loops involving more than one state, and incorrect, in that it could cause assertion failures (though there seem to be no bad consequences of that in a non-assert build). Multi-state loops would cause the compiler to run until the query was canceled or it reached the too-many-states error condition. Improve memory-usage accounting in regular-expression compiler (Tom Lane) This causes the code to emit regular expression is too complex errors in some cases that previously used unreasonable amounts of time and memory. Improve performance of regular-expression compiler (Tom Lane) Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane) Previously, %h/%r started to work just after a new session had emitted the connection received log message; now they work for that message too. On Windows, ensure the shared-memory mapping handle gets closed in child processes that don't need it (Tom Lane, Amit Kapila) This oversight resulted in failure to recover from crashes whenever logging_collector is turned on. Fix possible failure to detect socket EOF in non-blocking mode on Windows (Tom Lane) It's not entirely clear whether this problem can happen in pre-9.5 branches, but if it did, the symptom would be that a walsender process would wait indefinitely rather than noticing a loss of connection. Avoid leaking a token handle during SSPI authentication (Christian Ullrich) In psql, ensure that libreadline's idea of the screen size is updated when the terminal window size changes (Merlin Moncure) Previously, libreadline did not notice if the window was resized during query output, leading to strange behavior during later input of multiline queries. Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart) Avoid possible crash in psql's \c command when previous connection was via Unix socket and command specifies a new hostname and same username (Tom Lane) In pg_ctl start -w, test child process status directly rather than relying on heuristics (Tom Lane, Michael Paquier) Previously, pg_ctl relied on an assumption that the new postmaster would always create postmaster.pid within five seconds. But that can fail on heavily-loaded systems, causing pg_ctl to report incorrectly that the postmaster failed to start. Except on Windows, this change also means that a pg_ctl start -w done immediately after another such command will now reliably fail, whereas previously it would report success if done within two seconds of the first command. In pg_ctl start -w, don't attempt to use a wildcard listen address to connect to the postmaster (Kondo Yuta) On Windows, pg_ctl would fail to detect postmaster startup if listen_addresses is set to 0.0.0.0 or ::, because it would try to use that value verbatim as the address to connect to, which doesn't work. Instead assume that 127.0.0.1 or ::1, respectively, is the right thing to use. In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier) In pg_dump and pg_basebackup, adopt the GNU convention for handling tar-archive members exceeding 8GB (Tom Lane) The POSIX standard for tar file format does not allow archive member files to exceed 8GB, but most modern implementations of tar support an extension that fixes that. Adopt this extension so that pg_dump with -Ft no longer fails on tables with more than 8GB of data, and so that pg_basebackup can handle files larger than 8GB. In addition, fix some portability issues that could cause failures for members between 4GB and 8GB on some platforms. Potentially these problems could cause unrecoverable data loss due to unreadable backup files. Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane) Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane) Ensure that relation option values are properly quoted in pg_dump (Kouhei Sutou, Tom Lane) A reloption value that isn't a simple identifier or number could lead to dump/reload failures due to syntax errors in CREATE statements issued by pg_dump. This is not an issue with any reloption currently supported by core PostgreSQL, but extensions could allow reloptions that cause the problem. Avoid repeated password prompts during parallel pg_dump (Zeus Kronion) Fix pg_upgrade's file-copying code to handle errors properly on Windows (Bruce Momjian) Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier) Fix failure to localize messages emitted by pg_receivexlog and pg_recvlogical (Ioseph Kim) Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane) In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check. Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut) Fix premature clearing of libpq's input buffer when socket EOF is seen (Tom Lane) This mistake caused libpq to sometimes not report the backend's final error message before reporting server closed the connection unexpectedly. Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch) This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also. Improve libpq's handling of out-of-memory situations (Michael Paquier, Amit Kapila, Heikki Linnakangas) Fix order of arguments in ecpg-generated typedef statements (Michael Meskes) Use %g not %f format in ecpg's PGTYPESnumeric_from_double() (Tom Lane) Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes) Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed. Fix hstore_to_json_loose()'s test for whether an hstore value can be converted to a JSON number (Tom Lane) Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON. Ensure that contrib/pgcrypto's crypt() function can be interrupted by query cancel (Andreas Karlsson) Accept flex versions later than 2.5.x (Tom Lane, Michael Paquier) Now that flex 2.6.0 has been released, the version checks in our build scripts needed to be adjusted. Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg) This avoids possible bitwise differences in the produced executable files from one build to the next. Install our missing script where PGXS builds can find it (Jim Nasby) This allows sane behavior in a PGXS build done on a machine where build tools such as bison are missing. Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier) Add variant regression test expected-output file to match behavior of current libxml2 (Tom Lane) The fix for libxml2's CVE-2015-7499 causes it not to output error context reports in some cases where it used to do so. This seems to be a bug, but we'll probably have to live with it for some time, so work around it. Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan. 2015-10-08 This release contains a variety of fixes from 9.3.9. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading from a version earlier than 9.3.9, see . Guard against stack overflows in json parsing (Oskari Saarenmaa) If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier) A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction. Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed) Fix insertion of relations into the relation cache init file (Tom Lane) An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious. Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway) Improve LISTEN startup time when there are many unread notifications (Matt Newell) Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane) This was seen primarily when restoring pg_dump output for databases with many thousands of tables. Disable SSL renegotiation by default (Michael Paquier, Andres Freund) While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled). Lower the minimum values of the *_freeze_max_age parameters (Andres Freund) This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space. Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus) Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane) Fix rare internal overflow in multiplication of numeric values (Dean Rasheed) Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch) Fix handling of DOW and DOY in datetime input (Greg Stark) These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than invalid input syntax. Add more query-cancel checks to regular expression matching (Tom Lane) Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane) Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes. Fix potential infinite loop in regular expression execution (Tom Lane) A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop. In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane) Fix low-memory failures in regular expression compilation (Andreas Seltenreich) Fix low-probability memory leak during regular expression execution (Tom Lane) Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane) Fix unexpected out-of-memory situation during sort errors when using tuplestores with small work_mem settings (Tom Lane) Fix very-low-probability stack overrun in qsort (Tom Lane) Fix invalid memory alloc request size failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane) Fix assorted planner bugs (Tom Lane) These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as could not devise a query plan for the given query, could not find pathkey item to sort, plan should not reference subplan's variable, or failed to assign all NestLoopParams to plan nodes. Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems. Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed) Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao) This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server. During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane) This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns. Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane) If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop. Make emergency autovacuuming for multixact wraparound more robust (Andres Freund) Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane) Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera) Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes) Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas) Such a page might be left behind after a crash. Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas) VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe. Fix off-by-one error that led to otherwise-harmless warnings about apparent wraparound in subtrans/multixact truncation (Thomas Munro) Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane) Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker) Fix PL/Python crash when returning the string representation of a record result (Tom Lane) Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera) In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho) EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format. Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane) The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before. Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas) Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier) Fix psql's code for locale-aware formatting of numeric output (Tom Lane) The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type. Prevent crash in psql's \c command when there is no current connection (Noah Misch) Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane) Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan) Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier) Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian) Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane) When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases. Fix pg_dump to dump shell types (Tom Lane) Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them. Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier) Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane) Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common. On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch) On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch) Perl relies on this ability in 5.8.0 and later. Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch) Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa) Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas) Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier) Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies. 2015-06-12 This release contains a small number of fixes from 9.3.8. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading an installation that was previously upgraded using a pg_upgrade version between 9.3.0 and 9.3.4 inclusive, see the first changelog entry below. Also, if you are upgrading from a version earlier than 9.3.7, see . Fix possible failure to recover from an inconsistent database state (Robert Haas) Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4. The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release. In detail: Check whether pg_controldata reports Latest checkpoint's oldestMultiXid to be 1. If not, there's nothing to do. Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do. Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both and set to zero. (You can use the vacuum cost delay parameters described in to reduce the performance consequences for concurrent sessions.) You must use PostgreSQL 9.3.5 or later to perform this step. Fix rare failure to invalidate relation cache init file (Tom Lane) With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the init file that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently. Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane) A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that. Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans (Tom Lane, Tomas Vondra) This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type. 2015-06-04 This release contains a small number of fixes from 9.3.7. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are upgrading from a version earlier than 9.3.7, see . Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane) In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing. Also apply the same rules in initdb --sync-only. This case is less critical but it should act similarly. Fix pg_get_functiondef() to show functions' LEAKPROOF property, if set (Jeevan Chalke) Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane) The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions. Allow libpq to use TLS protocol versions beyond v1 (Noah Misch) For a long time, libpq was coded so that the only SSL protocol it would allow was TLS v1. Now that newer TLS versions are becoming popular, allow it to negotiate the highest commonly-supported TLS version with the server. (PostgreSQL servers were already capable of such negotiation, so no change is needed on the server side.) This is a back-patch of a change already released in 9.4.0. 2015-05-22 This release contains a variety of fixes from 9.3.6. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you use contrib/citext's regexp_matches() functions, see the changelog entry below about that. Also, if you are upgrading from a version earlier than 9.3.6, see . Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) Improve detection of system-call failures (Noah Misch) Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. Fix incorrect declaration of contrib/citext's regexp_matches() functions (Tom Lane) These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches. While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also update back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions. Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane) If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted. Fix planning of star-schema-style queries (Tom Lane) Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it. Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane) This oversight in the planner has been observed to cause could not find RelOptInfo for given relids errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output. Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane) Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row. Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane) This oversight has been seen to lead to failed to join all relations together errors in queries involving LATERAL, and that might happen in other cases as well. Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas) Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas) Recursively fsync() the data directory after a crash (Abhijit Menon-Sen, Robert Haas) This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.) Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Álvaro Herrera) Cope with unexpected signals in LockBufferForCleanup() (Andres Freund) This oversight could result in spurious errors about multiple backends attempting to wait for pincount 1. Fix crash when doing COPY IN to a table with check constraints that contain whole-row references (Tom Lane) The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well. Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund) Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well. Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas) Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane) Check for interrupts while analyzing index expressions (Jeff Janes) ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes. Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita) Add the name of the target server to object description strings for foreign-server user mappings (Álvaro Herrera) Include the schema name in object identity strings for conversions (Álvaro Herrera) Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost) Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5. Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane) This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.) Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas) This avoids a possible startup failure in pg_receivexlog. While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj) Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas) When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready. In libpq, fix misparsing of empty values in URI connection strings (Thomas Fanghaenel) Fix array handling in ecpg (Michael Meskes) Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Álvaro Herrera) This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable. Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane) This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline. Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane) In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier) Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost) This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated. Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions (Tom Lane) Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane) In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian) This change prevents upgrade failures caused by bogus complaints about missing WAL history files. In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian) In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian) In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian) This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases. Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem) Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini) Fix slow sorting algorithm in contrib/intarray (Tom Lane) Fix compile failure on Sparc V8 machines (Rob Rowan) Silence some build warnings on macOS (Tom Lane) Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT). 2015-02-05 This release contains a variety of fixes from 9.3.5. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are a Windows user and are using the Norwegian (Bokmål) locale, manual action is needed after the upgrade to replace any Norwegian (Bokmål)_Norway locale names stored in PostgreSQL system catalogs with the plain-ASCII alias Norwegian_Norway. For details see Also, if you are upgrading from a version earlier than 9.3.5, see . Fix buffer overruns in to_char() (Bruce Momjian) When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241) Fix buffer overrun in replacement *printf() functions (Tom Lane) PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch) Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas) If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244) Fix information leak via constraint-violation error messages (Stephen Frost) Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161) Lock down regression testing's temporary installations on Windows (Noah Misch) Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067) Cope with the Windows locale named Norwegian (Bokmål) (Heikki Linnakangas) Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, Norwegian_Norway. Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier) If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be. Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund) Fix incorrect processing of CreateEventTrigStmt.eventname (Petr Jelinek) This could result in misbehavior if CREATE EVENT TRIGGER were executed as a prepared query, or via extended query protocol. Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane) This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required. Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane) In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug. Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood) Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera) Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi) In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition. Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane) In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table. Improve performance of EXPLAIN with large range tables (Tom Lane) Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley) This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors. Re-enable error for SELECT ... OFFSET -1 (Tom Lane) A negative offset value has been an error since 8.4, but an optimization added in 9.3 accidentally turned the case into a no-op. Restore the expected behavior. Restore previous behavior of conversion of domains to JSON (Tom Lane) This change causes domains over numeric and boolean to be treated like their base types for purposes of conversion to JSON. It worked like that before 9.3.5 and 9.2.9, but was unintentionally changed while fixing a related problem. Fix json_agg() to not return extra trailing right brackets in its result (Tom Lane) Fix bugs in raising a numeric value to a large integral power (Tom Lane) The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow. In numeric_recv(), truncate away any fractional digits that would be hidden according to the value's dscale field (Tom Lane) A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such hidden digits on receipt, so that the value is indeed what it prints as. Fix incorrect search for shortest-first regular expression matches (Tom Lane) Matching would often fail when the number of allowed iterations is limited by a ? quantifier or a bound expression. Reject out-of-range numeric timezone specifications (Tom Lane) Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them. Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas) Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms. Improve ispell dictionary's defenses against bad affix files (Tom Lane) Allow more than 64K phrases in a thesaurus dictionary (David Boutin) The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition. Fix namespace handling in xpath() (Ali Akbar) Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation. Ensure that whole-row variables expose nonempty column names to functions that pay attention to column names within composite arguments (Tom Lane) In some contexts, constructs like row_to_json(tab.*) may not produce the expected column names. This is fixed properly as of 9.4; in older branches, just ensure that we produce some nonempty name. (In some cases this will be the underlying table's column name rather than the query-assigned alias that should theoretically be visible.) Fix mishandling of system columns, particularly tableoid, in FDW queries (Etsuro Fujita) Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli) This patch fixes corner-case unexpected operator NNNN planner errors, and improves the selectivity estimates for some other cases. Avoid doing indexed_column = ANY (array) as an index qualifier if that leads to an inferior plan (Andrew Gierth) In some cases, = ANY conditions applied to non-first index columns would be done as index conditions even though it would be better to use them as simple filter conditions. Fix variable not found in subplan target list planner failure when an inline-able SQL function taking a composite argument is used in a LATERAL subselect and the composite argument is a lateral reference (Tom Lane) Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Álvaro Herrera) The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity. Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane) Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work. During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund) This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery. Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas) This mistake could result in transient errors in queries being executed in hot standby. Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas) The most notable oversight was that recovery_target_xid could not be used to stop at a two-phase commit. Prevent latest WAL file from being archived a second time at completion of crash recovery (Fujii Masao) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao) Change pgstat wait timeout warning message to be LOG level, and rephrase it to be more understandable (Tom Lane) This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads using stale statistics instead of current ones because stats collector is not responding. Fix possible corruption of postmaster's list of dynamic background workers (Andres Freund) Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund) Warn if macOS's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch) Fix processing of repeated dbname parameters in PQconnectdbParams() (Alex Shulgin) Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded. Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane) Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket. Clear any old error message during PQreset() (Heikki Linnakangas) If PQreset() is called repeatedly, and the connection cannot be re-established, error messages from the failed connection attempts kept accumulating in the PGconn's error string. Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas) Fix array overrun in ecpg's version of ParseDateTime() (Michael Paquier) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane) When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate. This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved. Improve consistency of parsing of psql's special variables (Tom Lane) Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors. Make psql's \watch command display nulls as specified by \pset null (Fujii Masao) Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost) Fix pg_dump to handle comments on event triggers without failing (Tom Lane) Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane) Fix pg_dumpall to restore its ability to dump from pre-8.1 servers (Gilles Darold) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia) Fix failure to fsync tables in nondefault tablespaces during pg_upgrade (Abhijit Menon-Sen, Andres Freund) With an operating system crash and some bad luck, this could result in data loss during an upgrade. In pg_upgrade, cope with cases where the new cluster creates a TOAST table for a table that didn't previously have one (Bruce Momjian) Previously this could result in failures due to OID conflicts. In pg_upgrade, don't try to set autovacuum_multixact_freeze_max_age for the old cluster (Bruce Momjian) This could result in failure because not all 9.3.X versions have that parameter. Fortunately, we don't actually need to set it at all. In pg_upgrade, preserve the transaction ID epoch (Bruce Momjian) This oversight did not bother PostgreSQL proper, but could confuse some external replication tools. Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund) Fix memory leak in pg_receivexlog (Fujii Masao) Fix unintended suppression of pg_receivexlog verbose messages (Fujii Masao) Fix failure of contrib/auto_explain to print per-node timing information when doing EXPLAIN ANALYZE (Tom Lane) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane) Avoid integer overflow and buffer overrun in contrib/hstore's hstore_to_json() (Heikki Linnakangas) Fix recognition of numbers in hstore_to_json_loose(), so that JSON numbers and strings are correctly distinguished (Andrew Dunstan) Fix block number checking in contrib/pageinspect's get_raw_page() (Tom Lane) The incorrect checking logic could prevent access to some pages in non-main relation forks. Fix contrib/pgcrypto's pgp_sym_decrypt() to not fail on messages whose length is 6 less than a power of 2 (Marko Tiikkaja) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes) This could cause failure to remove temporary files on Windows. Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier) connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further. Avoid a possible crash in contrib/xml2's xslt_process() (Mark Simonetti) libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash. Mark some contrib I/O functions with correct volatility properties (Tom Lane) The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers. Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier) These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues. Fix setup of background workers in EXEC_BACKEND builds, eg Windows (Robert Haas) Detect incompatible OpenLDAP versions during build (Noah Misch) With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test. In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane) This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations. Support time zone abbreviations that change UTC offset from time to time (Tom Lane) Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date. Update time zone abbreviations lists (Tom Lane) Add CST (China Standard Time) to our lists. Remove references to ADT as Arabia Daylight Time, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with Atlantic Daylight Time doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line. Update time zone data files to tzdata release 2015a. The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our Default timezone abbreviation set. The Australia abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the Default abbreviation set. Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data. 2014-07-24 This release contains a variety of fixes from 9.3.4. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, this release corrects a logic error in pg_upgrade, as well as an index corruption problem in some GiST indexes. See the first two changelog entries below to find out whether your installation has been affected and what steps you should take if so. Also, if you are upgrading from a version earlier than 9.3.4, see . In pg_upgrade, remove pg_multixact files left behind by initdb (Bruce Momjian) If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed. To determine whether your installation has this problem, run this query as superuser, in any database of the cluster: WITH list(file) AS (SELECT * FROM pg_ls_dir('pg_multixact/offsets')) SELECT EXISTS (SELECT * FROM list WHERE file = '0000') AND NOT EXISTS (SELECT * FROM list WHERE file = '0001') AND NOT EXISTS (SELECT * FROM list WHERE file = 'FFFF') AND EXISTS (SELECT * FROM list WHERE file != '0000') AS file_0000_removal_required; If this query returns t, manually remove the file $PGDATA/pg_multixact/offsets/0000. Do nothing if the query returns f. Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas) This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages (Heikki Linnakangas) This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk. Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas) This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby. Fix corner-case infinite loop during insertion into an SP-GiST text index (Tom Lane) Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator (Heikki Linnakangas) Fix wraparound handling for pg_multixact/members (Álvaro Herrera) Truncate pg_multixact during checkpoints, not during VACUUM (Álvaro Herrera) This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash. Fix possible inconsistency of all-visible flags after WAL recovery (Heikki Linnakangas) Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund) Fix race condition when updating a tuple concurrently locked by another process (Andres Freund, Álvaro Herrera) Fix could not find pathkey item to sort planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley) This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Improve planner to drop constant-NULL inputs of AND/OR when possible (Tom Lane) This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced. Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent (Tom Lane) This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations. Fix handling of nested JSON objects in json_populate_recordset() and friends (Michael Paquier, Tom Lane) A nested JSON object could result in previous fields of the parent object not being shown in the output. Fix identification of input type category in to_json() and friends (Tom Lane) This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well. Fix failure to detoast fields in composite elements of structured types (Tom Lane) This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like missing chunk number 0 for toast value ... when the now-dangling pointer is used. Fix record type has not been registered failures with whole-row references to the output of Append plan nodes (Tom Lane) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark) Fix data encoding error in hungarian.stop (Tom Lane) Prevent foreign tables from being created with OIDS when is true (Etsuro Fujita) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund) This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund) After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time. Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera) Prevent pg_class.relminmxid values from going backwards during VACUUM FULL (Álvaro Herrera) Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace (Greg Stark, Tom Lane) This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well. Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification (Tom Lane) Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns (Tom Lane) Block signals during postmaster startup (Tom Lane) This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane) Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed. Allow the root user to use postgres -C variable and postgres --describe-config (MauMau) The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios. Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections. A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary. Fix tablespace creation WAL replay to work on Windows (MauMau) Fix detection of socket creation failures on Windows (Bruce Momjian) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as ) from the configuration file (Amit Kapila) Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows (Nikhil Deshpande) This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Fix linking of libpython on macOS (Tom Lane) The method we previously used can fail with the Python library supplied by Xcode 5.0 and later. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane) libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as lost synchronization with server). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints. Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat) Fix pg_dump to cope with a materialized view that depends on a table's primary key (Tom Lane) This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view. Fix parsing of pg_dumpall's -i switch (Tom Lane) Fix pg_restore's processing of old-style large object comments (Tom Lane) A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not (Bruce Momjian) This rare situation would manifest as relation OID mismatch errors. In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server (Bruce Momjian, Álvaro Herrera, Tom Lane) These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely. Prevent contrib/auto_explain from changing the output of a user's EXPLAIN (Tom Lane) If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information. Fix query-lifespan memory leak in contrib/dblink (MauMau, Joe Conway) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen) Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap() (Noah Misch) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane) This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that. Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco. 2014-03-20 This release contains a variety of fixes from 9.3.3. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, the error fixed in the first changelog entry below could have resulted in corrupt data on standby servers. It may be prudent to reinitialize standby servers from fresh base backups after installing this update. Also, if you are upgrading from a version earlier than 9.3.3, see . Fix WAL replay of locking an already-updated tuple (Andres Freund, Álvaro Herrera) This error caused updated rows to not be found by index scans, resulting in inconsistent query results depending on whether an index scan was used. Subsequent processing could result in constraint violations, since the previously updated row would not be found by later index searches, thus possibly allowing conflicting rows to be inserted. Since this error is in WAL replay, it would only manifest during crash recovery or on standby servers. The improperly-replayed case most commonly arises when a table row that is referenced by a foreign-key constraint is updated concurrently with creation of a referencing row. Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas) Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector. Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja) This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient. Allow materialized views to be referenced in UPDATE and DELETE commands (Michael Paquier) Previously such queries failed with a complaint about not being able to lock rows in the materialized view. Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane) This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time. Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski) This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it. Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed) This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables. Improve performance of index endpoint probes during planning (Tom Lane) This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers. Use non-default selectivity estimates for value IN (list) and value operator ANY (array) expressions when the righthand side is a stable expression (Tom Lane) Remove the correct per-database statistics file during DROP DATABASE (Tomas Vondra) This fix prevents a permanent leak of statistics file space. Users who have done many DROP DATABASE commands since upgrading to PostgreSQL 9.3 may wish to check their statistics directory and delete statistics files that do not correspond to any existing database. Please note that db_0.stat should not be removed. Fix walsender ping logic to avoid inappropriate disconnects under continuous load (Andres Freund, Heikki Linnakangas) walsender failed to send ping messages to the client if it was constantly busy sending WAL data; but it expected to see ping responses despite that, and would therefore disconnect once elapsed. Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao) Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery (Heikki Linnakangas) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas) Add read-only parameter to display whether page checksums are enabled (Heikki Linnakangas) Without this parameter, determining the state of checksum processing was difficult. Prevent interrupts while reporting non-ERROR messages (Tom Lane) This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems. Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker) Fix tracking of psql script line numbers during \copy from out-of-line data (Kumar Rajeev Rastogi, Amit Khandekar) \copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file. Fix contrib/postgres_fdw to handle multiple join conditions properly (Tom Lane) This oversight could result in sending WHERE clauses to the remote server for execution even though the clauses are not known to have the same semantics on the remote server (for example, clauses that use non-built-in operators). The query might succeed anyway, but it could also fail with errors from the remote server, or worse give silently wrong answers. Prevent intermittent could not reserve shared memory region failures on recent Windows versions (MauMau) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine. 2014-02-20 This release contains a variety of fixes from 9.3.2. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, several of the issues corrected in this release could have resulted in corruption of foreign-key constraints; that is, there might now be referencing rows for which there is no matching row in the referenced table. It may be worthwhile to recheck such constraints after installing this update. The simplest way to do that is to drop and recreate each suspect constraint; however, that will require taking an exclusive lock on both tables, so it is unlikely to be acceptable in production databases. Alternatively, you can do a manual join query between the two tables to look for unmatched rows. Note also the requirement for replication standby servers to be upgraded before their master server is upgraded. Also, if you are upgrading from a version earlier than 9.3.2, see . Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) Rework tuple freezing protocol (Álvaro Herrera, Andres Freund) The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough. Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.) Create separate GUC parameters to control multixact freezing (Álvaro Herrera) 9.3 requires multixact tuple labels to be frozen before they grow too old, in the same fashion as plain transaction ID labels have been frozen for some time. Previously, the transaction ID freezing parameters were used for multixact IDs too; but since the consumption rates of transaction IDs and multixact IDs can be quite different, this did not work very well. Introduce new settings , , and to control when to freeze multixacts. Account for remote row locks propagated by local updates (Álvaro Herrera) If a row was locked by transaction A, and transaction B updated it, the new version of the row created by B would be locked by A, yet visible only to B. If transaction B then again updated the row, A's lock wouldn't get checked, thus possibly allowing B to complete when it shouldn't. This case is new in 9.3 since prior versions did not have any types of row locking that would permit another transaction to update the row at all. This oversight could allow referential integrity checks to give false positives (for instance, allow deletes that should have been rejected). Applications using the new commands SELECT FOR KEY SHARE and SELECT FOR NO KEY UPDATE might also have suffered locking failures of this kind. Prevent forgetting valid row locks when one of several holders of a row lock aborts (Álvaro Herrera) This was yet another mechanism by which a shared row lock could be lost, thus possibly allowing updates that should have been prevented by foreign-key constraints. Fix incorrect logic during update chain locking (Álvaro Herrera) This mistake could result in spurious could not serialize access due to concurrent update errors in REPEATABLE READ and SERIALIZABLE transaction isolation modes. Handle wraparound correctly during extension or truncation of pg_multixact/members (Andres Freund, Álvaro Herrera) Fix handling of 5-digit filenames in pg_multixact/members (Álvaro Herrera) As of 9.3, these names can be more than 4 digits, but the directory cleanup code ignored such files. Improve performance of multixact cache code (Álvaro Herrera) Optimize updating a row that's already locked by the same transaction (Andres Freund, Álvaro Herrera) This fixes a performance regression from pre-9.3 versions when doing SELECT FOR UPDATE followed by UPDATE/DELETE. During archive recovery, prefer highest timeline number when WAL segments with the same ID are present in both the archive and pg_xlog/ (Kyotaro Horiguchi) Previously, not-yet-archived segments could get ignored during recovery. This reverts an undesirable behavioral change in 9.3.0 back to the way things worked pre-9.3. Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane) The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant bloat of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master. Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas) In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as PANIC: WAL contains references to invalid pages were also possible. Fix WAL logging of visibility map changes (Heikki Linnakangas) Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane) This error could result in PANIC: WAL contains references to invalid pages failures. Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas) The previous coding risked index corruption in the event of a partial-page write during a system crash. When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas) Ensure walreceiver sends hot-standby feedback messages on time even when there is a continuous stream of data (Andres Freund, Amit Kapila) Prevent timeout interrupts from taking control away from mainline code unless ImmediateInterruptOK is set (Andres Freund, Tom Lane) This is a serious issue for any application making use of statement timeouts, as it could cause all manner of strange failures after a timeout occurred. We have seen reports of stuck spinlocks, ERRORs being unexpectedly promoted to PANICs, unkillable backends, and other misbehaviors. Fix race conditions during server process exit (Robert Haas) Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid. Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane) Fix unsafe references to errno within error reporting logic (Christian Kruse) This would typically lead to odd behaviors such as missing or inappropriate HINT fields. Fix possible crashes from using ereport() too early during server startup (Tom Lane) The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read. Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin) This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection. Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane) A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping. Fix parsing of Unicode literals and identifiers just before the end of a command string or function body (Tom Lane) Allow keywords that are type names to be used in lists of roles (Stephen Frost) A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE. Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane) Fix mishandling of WHERE conditions pulled up from a LATERAL subquery (Tom Lane) The typical symptom of this bug was a JOIN qualification cannot refer to other relations error, though subtle logic errors in created plans seem possible as well. Disallow LATERAL references to the target table of an UPDATE/DELETE (Tom Lane) While this might be allowed in some future release, it was unintentional in 9.3, and didn't work quite right anyway. Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane) Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s). Fix ANALYZE to not fail on a column that's a domain over a range type (Tom Lane) Ensure that ANALYZE creates statistics for a table column even when all the values in it are too wide (Tom Lane) ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide. In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost) CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo. Fix support for extensions containing event triggers (Tom Lane) Fix cannot accept a set error when some arms of a CASE return a set and others don't (Tom Lane) Fix memory leakage in JSON functions (Craig Ringer) Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane) Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well. Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas) Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky. Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander) The previous coding might attempt to do catalog access when it shouldn't. Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii) Fix *-qualification of named parameters in SQL-language functions (Tom Lane) Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much. Fix misbehavior of PQhost() on Windows (Fujii Masao) It should return localhost if no host has been specified. Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane) In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications. Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane) Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander) Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander) Fix misaligned descriptors in ecpg (MauMau) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes) Fix performance regression in contrib/dblink connection startup (Joe Conway) Avoid an unnecessary round trip when client and server encodings match. In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho) Fix contrib/pgbench's progress logging to avoid overflow when the scale factor is large (Tatsuo Ishii) Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi) Improve lost-connection error handling in contrib/postgres_fdw (Tom Lane) Ensure client-code-only installation procedure works as documented (Peter Eisentraut) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan) This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL. Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri) Enable building with Visual Studio 2013 (Brar Piening) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane) These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that. Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba. In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice. 2013-12-05 This release contains a variety of fixes from 9.3.1. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, this release corrects a number of potential data corruption issues. See the first three changelog entries below to find out whether your installation has been affected and what steps you can take if so. Also, if you are upgrading from a version earlier than 9.3.1, see . Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund) In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get could not access status of transaction errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). Fix multiple bugs in MultiXactId freezing (Andres Freund, Álvaro Herrera) These bugs could lead to could not access status of transaction errors, or to duplicate or vanishing rows. Users upgrading from releases prior to 9.3.0 are not affected. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix latent corruption but will not be able to fix all pre-existing data errors. As a separate issue, these bugs can also cause standby servers to get out of sync with the primary, thus exhibiting data errors that are not in the primary. Therefore, it's recommended that 9.3.0 and 9.3.1 standby servers be re-cloned from the primary (e.g., with a new base backup) after upgrading. Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas) This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. Fix multiple bugs in update chain traversal (Andres Freund, Álvaro Herrera) These bugs could result in incorrect behavior, such as locking or even updating the wrong row, in the presence of concurrent updates. Spurious unable to fetch updated version of tuple errors were also possible. Fix dangling-pointer problem in fast-path locking (Tom Lane) This could lead to corruption of the lock data structures in shared memory, causing lock already held and other odd errors. Fix assorted race conditions in timeout management (Tom Lane) These errors could result in a server process becoming unresponsive because it had blocked SIGALRM and/or SIGINT. Truncate pg_multixact contents during WAL replay (Andres Freund) This avoids ever-increasing disk space consumption in standby servers. Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing (Sergey Burladyan, Jeff Janes) This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound. Fix full-table-vacuum request mechanism for MultiXactIds (Andres Freund) This bug could result in large amounts of useless autovacuum activity. Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas) This could lead to transient wrong answers or query failures. Fix unexpected spgdoinsert() failure error during SP-GiST index creation (Teodor Sigaev) Fix assorted bugs in materialized views (Kevin Grittner, Andres Freund) Re-allow duplicate table aliases if they're within aliased JOINs (Tom Lane) Historically PostgreSQL has accepted queries like SELECT ... FROM tab1 x CROSS JOIN (tab2 x CROSS JOIN tab3 y) z although a strict reading of the SQL standard would forbid the duplicate usage of table alias x. A misguided change in 9.3.0 caused it to reject some such cases that were formerly accepted. Restore the previous behavior. Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane) This avoids unexpected results due to extra evaluations of the volatile function. Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane) This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax. Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane) Fix planner crash with whole-row reference to a subquery (Tom Lane) Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane) The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable. Fix premature deletion of temporary files (Andres Freund) Prevent intra-transaction memory leak when printing range values (Tom Lane) This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem. Fix memory leaks when reloading configuration files (Heikki Linnakangas, Hari Babu) Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane) Allow default arguments and named-argument notation for window functions (Tom Lane) Previously, these cases were likely to crash. Suppress trailing whitespace on each line when pretty-printing rules and views (Tom Lane) 9.3.0 generated such whitespace in many more cases than previous versions did. To reduce unexpected behavioral changes, suppress unnecessary whitespace in all cases. Fix possible read past end of memory in rule printing (Peter Eisentraut) Fix array slicing of int2vector and oidvector values (Tom Lane) Expressions of this kind are now implicitly promoted to regular int2 or oid arrays. Return a valid JSON value when converting an empty hstore value to json (Oskari Saarenmaa) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane) In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone. Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane) This fix applies only to Windows. Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner) Previously, the generated script would fail during restore. Fix pg_isready to handle its -d option properly (Fabrízio de Royes Mello and Fujii Masao) Fix parsing of WAL file names in pg_receivexlog (Heikki Linnakangas) This error made pg_receivexlog unable to restart streaming after stopping, once at least 4 GB of WAL had been written. Report out-of-disk-space failures properly in pg_upgrade (Peter Eisentraut) Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia. 2013-10-10 This release contains a variety of fixes from 9.3.0. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you use the hstore extension, see the first changelog entry. Ensure new-in-9.3 JSON functionality is added to the hstore extension during an update (Andrew Dunstan) Users who upgraded a pre-9.3 database containing hstore should execute ALTER EXTENSION hstore UPDATE; after installing 9.3.1, to add two new JSON functions and a cast. (If hstore is already up to date, this command does nothing.) Fix memory leak when creating B-tree indexes on range columns (Heikki Linnakangas) Fix memory leak caused by lo_open() failure (Heikki Linnakangas) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas) Fix deadlock bug in libpq when using SSL (Stephen Frost) Fix timeline handling bugs in pg_receivexlog (Heikki Linnakangas, Andrew Gierth) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas) 2013-09-09 Major enhancements in PostgreSQL 9.3 include: Add materialized views Make simple views auto-updatable Add many features for the JSON data type, including operators and functions to extract elements from JSON values Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables Add a Postgres foreign data wrapper to allow access to other Postgres servers Add support for event triggers Add optional ability to checksum data pages and report corruption Prevent non-key-field row updates from blocking foreign key checks Greatly reduce System V shared memory requirements The above items are explained in more detail in the sections below. A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release. Version 9.3 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities: Rename replication_timeout to wal_sender_timeout (Amit Kapila) This setting controls the WAL sender timeout. Require superuser privileges to set commit_delay because it can now potentially delay other sessions (Simon Riggs) Allow in-memory sorts to use their full memory allocation (Jeff Janes) Users who have set work_mem based on the previous behavior may need to revisit that setting. Throw an error if a tuple to be updated or deleted has already been updated or deleted by a BEFORE trigger (Kevin Grittner) Formerly, the originally-intended update was silently skipped, resulting in logical inconsistency since the trigger might have propagated data to other places based on the intended update. Now an error is thrown to prevent the inconsistent results from being committed. If this change affects your application, the best solution is usually to move the data-propagation actions to an AFTER trigger. This error will also be thrown if a query invokes a volatile function that modifies rows that are later modified by the query itself. Such cases likewise previously resulted in silently skipping updates. Change multicolumn ON UPDATE SET NULL/SET DEFAULT foreign key actions to affect all columns of the constraint, not just those changed in the UPDATE (Tom Lane) Previously, we would set only those referencing columns that correspond to referenced columns that were changed by the UPDATE. This was what was required by SQL-92, but more recent editions of the SQL standard specify the new behavior. Force cached plans to be replanned if the search_path changes (Tom Lane) Previously, cached plans already generated in the current session were not redone if the query was re-executed with a new search_path setting, resulting in surprising behavior. Fix to_number() to properly handle a period used as a thousands separator (Tom Lane) Previously, a period was considered to be a decimal point even when the locale says it isn't and the D format code is used to specify use of the locale-specific decimal point. This resulted in wrong answers if FM format was also used. Fix STRICT non-set-returning functions that have set-returning functions in their arguments to properly return null rows (Tom Lane) A null value passed to the strict function should result in a null output, but instead, that output row was suppressed entirely. Store WAL in a continuous stream, rather than skipping the last 16MB segment every 4GB (Heikki Linnakangas) Previously, WAL files with names ending in FF were not used because of this skipping. If you have WAL backup or restore scripts that took this behavior into account, they will need to be adjusted. In pg_constraint.confmatchtype, store the default foreign key match type (non-FULL, non-PARTIAL) as s for simple (Tom Lane) Previously this case was represented by u for unspecified. Below you will find a detailed account of the changes between PostgreSQL 9.3 and the previous major release. Prevent non-key-field row updates from blocking foreign key checks (Álvaro Herrera, Noah Misch, Andres Freund, Alexander Shulgin, Marti Raudsepp, Alexander Shulgin) This change improves concurrency and reduces the probability of deadlocks when updating tables involved in a foreign-key constraint. UPDATEs that do not change any columns referenced in a foreign key now take the new NO KEY UPDATE lock mode on the row, while foreign key checks use the new KEY SHARE lock mode, which does not conflict with NO KEY UPDATE. So there is no blocking unless a foreign-key column is changed. Add configuration variable lock_timeout to allow limiting how long a session will wait to acquire any one lock (Zoltán Böszörményi) Add SP-GiST support for range data types (Alexander Korotkov) Allow GiST indexes to be unlogged (Jeevan Chalke) Improve performance of GiST index insertion by randomizing the choice of which page to descend to when there are multiple equally good alternatives (Heikki Linnakangas) Improve concurrency of hash index operations (Robert Haas) Collect and use histograms of upper and lower bounds, as well as range lengths, for range types (Alexander Korotkov) Improve optimizer's cost estimation for index access (Tom Lane) Improve optimizer's hash table size estimate for doing DISTINCT via hash aggregation (Tom Lane) Suppress no-op Result and Limit plan nodes (Kyotaro Horiguchi, Amit Kapila, Tom Lane) Reduce optimizer overhead by not keeping plans on the basis of cheap startup cost when the optimizer only cares about total cost overall (Tom Lane) Add COPY FREEZE option to avoid the overhead of marking tuples as frozen later (Simon Riggs, Jeff Davis) Improve performance of NUMERIC calculations (Kyotaro Horiguchi) Improve synchronization of sessions waiting for commit_delay (Peter Geoghegan) This greatly improves the usefulness of commit_delay. Improve performance of the CREATE TEMPORARY TABLE ... ON COMMIT DELETE ROWS option by not truncating such temporary tables in transactions that haven't touched any temporary tables (Heikki Linnakangas) Make vacuum recheck visibility after it has removed expired tuples (Pavan Deolasee) This increases the chance of a page being marked as all-visible. Add per-resource-owner lock caches (Jeff Janes) This speeds up lock bookkeeping at statement completion in multi-statement transactions that hold many locks; it is particularly useful for pg_dump. Avoid scanning the entire relation cache at commit of a transaction that creates a new relation (Jeff Janes) This speeds up sessions that create many tables in successive small transactions, such as a pg_restore run. Improve performance of transactions that drop many relations (Tomas Vondra) Add optional ability to checksum data pages and report corruption (Simon Riggs, Jeff Davis, Greg Smith, Ants Aasma) The checksum option can be set during initdb. Split the statistics collector's data file into separate global and per-database files (Tomas Vondra) This reduces the I/O required for statistics tracking. Fix the statistics collector to operate properly in cases where the system clock goes backwards (Tom Lane) Previously, statistics collection would stop until the time again reached the latest time previously recorded. Emit an informative message to postmaster standard error when we are about to stop logging there (Tom Lane) This should help reduce user confusion about where to look for log output in common configurations that log to standard error only during postmaster startup. When an authentication failure occurs, log the relevant pg_hba.conf line, to ease debugging of unintended failures (Magnus Hagander) Improve LDAP error reporting and documentation (Peter Eisentraut) Add support for specifying LDAP authentication parameters in URL format, per RFC 4516 (Peter Eisentraut) Change the ssl_ciphers parameter to start with DEFAULT, rather than ALL, then remove insecure ciphers (Magnus Hagander) This should yield a more appropriate SSL cipher set. Parse and load pg_ident.conf once, not during each connection (Amit Kapila) This is similar to how pg_hba.conf is processed. Greatly reduce System V shared memory requirements (Robert Haas) On Unix-like systems, mmap() is now used for most of PostgreSQL's shared memory. For most users, this will eliminate any need to adjust kernel parameters for shared memory. Allow the postmaster to listen on multiple Unix-domain sockets (Honza Horák) The configuration parameter unix_socket_directory is replaced by unix_socket_directories, which accepts a list of directories. Allow a directory of configuration files to be processed (Magnus Hagander, Greg Smith, Selena Deckelmann) Such a directory is specified with include_dir in the server configuration file. Increase the maximum initdb-configured value for shared_buffers to 128MB (Robert Haas) This is the maximum value that initdb will attempt to set in postgresql.conf; the previous maximum was 32MB. Remove the external PID file, if any, on postmaster exit (Peter Eisentraut) Allow a streaming replication standby to follow a timeline switch (Heikki Linnakangas) This allows streaming standby servers to receive WAL data from a slave newly promoted to master status. Previously, other standbys would require a resync to begin following the new master. Add SQL functions pg_is_in_backup() and pg_backup_start_time() (Gilles Darold) These functions report the status of base backups. Improve performance of streaming log shipping with synchronous_commit disabled (Andres Freund) Allow much faster promotion of a streaming standby to primary (Simon Riggs, Kyotaro Horiguchi) Add the last checkpoint's redo location to pg_controldata's output (Fujii Masao) This information is useful for determining which WAL files are needed for restore. Allow tools like pg_receivexlog to run on computers with different architectures (Heikki Linnakangas) WAL files can still only be replayed on servers with the same architecture as the primary; but they can now be transmitted to and stored on machines of any architecture, since the streaming replication protocol is now machine-independent. Make pg_basebackup --write-recovery-conf output a minimal recovery.conf file (Zoltán Böszörményi, Magnus Hagander) This simplifies setting up a standby server. Allow pg_receivexlog and pg_basebackup --xlog-method to handle streaming timeline switches (Heikki Linnakangas) Add wal_receiver_timeout parameter to control the WAL receiver's timeout (Amit Kapila) This allows more rapid detection of connection failure. Change the WAL record format to allow splitting the record header across pages (Heikki Linnakangas) The new format is slightly more compact, and is more efficient to write. Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls (Tom Lane) This feature allows subqueries and functions in FROM to reference columns from other tables in the FROM clause. The LATERAL keyword is optional for functions. Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita) Allow a multirow VALUES clause in a rule to reference OLD/NEW (Tom Lane) Add support for event triggers (Dimitri Fontaine, Robert Haas, Álvaro Herrera) This allows server-side functions written in event-enabled languages to be called when DDL commands are run. Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables (KaiGai Kohei) Add CREATE SCHEMA ... IF NOT EXISTS clause (Fabrízio de Royes Mello) Make REASSIGN OWNED also change ownership of shared objects (Álvaro Herrera) Make CREATE AGGREGATE complain if the given initial value string is not valid input for the transition datatype (Tom Lane) Suppress CREATE TABLE's messages about implicit index and sequence creation (Robert Haas) These messages now appear at DEBUG1 verbosity, so that they will not be shown by default. Allow DROP TABLE IF EXISTS to succeed when a non-existent schema is specified in the table name (Bruce Momjian) Previously, it threw an error if the schema did not exist. Provide clients with constraint violation details as separate fields (Pavel Stehule) This allows clients to retrieve table, column, data type, or constraint name error details. Previously such information had to be extracted from error strings. Client library support is required to access these fields. Support IF NOT EXISTS option in ALTER TYPE ... ADD VALUE (Andrew Dunstan) This is useful for conditionally adding values to enumerated types. Add ALTER ROLE ALL SET to establish settings for all users (Peter Eisentraut) This allows settings to apply to all users in all databases. ALTER DATABASE SET already allowed addition of settings for all users in a single database. postgresql.conf has a similar effect. Add support for ALTER RULE ... RENAME (Ali Dar) Add materialized views (Kevin Grittner) Unlike ordinary views, where the base tables are read on every access, materialized views create physical tables at creation or refresh time. Access to the materialized view then reads from its physical table. There is not yet any facility for incrementally refreshing materialized views or auto-accessing them via base table access. Make simple views auto-updatable (Dean Rasheed) Simple views that reference some or all columns from a single base table are now updatable by default. More complex views can be made updatable using INSTEAD OF triggers or INSTEAD rules. Add CREATE RECURSIVE VIEW syntax (Peter Eisentraut) Internally this is translated into CREATE VIEW ... WITH RECURSIVE .... Improve view/rule printing code to handle cases where referenced tables are renamed, or columns are renamed, added, or dropped (Tom Lane) Table and column renamings can produce cases where, if we merely substitute the new name into the original text of a rule or view, the result is ambiguous. This change fixes the rule-dumping code to insert manufactured table and column aliases when needed to preserve the original semantics. Increase the maximum size of large objects from 2GB to 4TB (Nozomi Anzai, Yugo Nagata) This change includes adding 64-bit-capable large object access functions, both in the server and in libpq. Allow text timezone designations, e.g. America/Chicago, in the T field of ISO-format timestamptz input (Bruce Momjian) Add operators and functions to extract elements from JSON values (Andrew Dunstan) Allow JSON values to be converted into records (Andrew Dunstan) Add functions to convert scalars, records, and hstore values to JSON (Andrew Dunstan) Add array_remove() and array_replace() functions (Marco Nenciarini, Gabriele Bartolini) Allow concat() and format() to properly expand VARIADIC-labeled arguments (Pavel Stehule) Improve format() to provide field width and left/right alignment options (Pavel Stehule) Make to_char(), to_date(), and to_timestamp() handle negative (BC) century values properly (Bruce Momjian) Previously the behavior was either wrong or inconsistent with positive/AD handling, e.g. with the format mask IYYY-IW-DY. Make to_date() and to_timestamp() return proper results when mixing ISO and Gregorian week/day designations (Bruce Momjian) Cause pg_get_viewdef() to start a new line by default after each SELECT target list entry and FROM entry (Marko Tiikkaja) This reduces line length in view printing, for instance in pg_dump output. Fix map_sql_value_to_xml_value() to print values of domain types the same way their base type would be printed (Pavel Stehule) There are special formatting rules for certain built-in types such as boolean; these rules now also apply to domains over these types. Allow PL/pgSQL to use RETURN with a composite-type expression (Asif Rehman) Previously, in a function returning a composite type, RETURN could only reference a variable of that type. Allow PL/pgSQL to access constraint violation details as separate fields (Pavel Stehule) Allow PL/pgSQL to access the number of rows processed by COPY (Pavel Stehule) A COPY executed in a PL/pgSQL function now updates the value retrieved by GET DIAGNOSTICS x = ROW_COUNT. Allow unreserved keywords to be used as identifiers everywhere in PL/pgSQL (Tom Lane) In certain places in the PL/pgSQL grammar, keywords had to be quoted to be used as identifiers, even if they were nominally unreserved. Add PL/Python result object string handler (Peter Eisentraut) This allows plpy.debug(rv) to output something reasonable. Make PL/Python convert OID values to a proper Python numeric type (Peter Eisentraut) Handle SPI errors raised explicitly (with PL/Python's RAISE) the same as internal SPI errors (Oskari Saarenmaa and Jan Urbanski) Prevent leakage of SPI tuple tables during subtransaction abort (Tom Lane) At the end of any failed subtransaction, the core SPI code now releases any SPI tuple tables that were created during that subtransaction. This avoids the need for SPI-using code to keep track of such tuple tables and release them manually in error-recovery code. Failure to do so caused a number of transaction-lifespan memory leakage issues in PL/pgSQL and perhaps other SPI clients. SPI_freetuptable() now protects itself against multiple freeing requests, so any existing code that did take care to clean up shouldn't be broken by this change. Allow SPI functions to access the number of rows processed by COPY (Pavel Stehule) Add command-line utility pg_isready to check if the server is ready to accept connections (Phil Sorber) Support multiple --table arguments for pg_restore, clusterdb, reindexdb, and vacuumdb (Josh Kupershmidt) This is similar to the way pg_dump's --table option works. Add --dbname option to pg_dumpall, pg_basebackup, and pg_receivexlog to allow specifying a connection string (Amit Kapila) Add libpq function PQconninfo() to return connection information (Zoltán Böszörményi, Magnus Hagander) Adjust function cost settings so psql tab completion and pattern searching are more efficient (Tom Lane) Improve psql's tab completion coverage (Jeff Janes, Dean Rasheed, Peter Eisentraut, Magnus Hagander) Allow the psql --single-transaction mode to work when reading from standard input (Fabien Coelho, Robert Haas) Previously this option only worked when reading from a file. Remove psql warning when connecting to an older server (Peter Eisentraut) A warning is still issued when connecting to a server of a newer major version than psql's. Add psql command \watch to repeatedly execute a SQL command (Will Leinweber) Add psql command \gset to store query results in psql variables (Pavel Stehule) Add SSL information to psql's \conninfo command (Alastair Turner) Add Security column to psql's \df+ output (Jon Erdman) Allow psql command \l to accept a database name pattern (Peter Eisentraut) In psql, do not allow \connect to use defaults if there is no active connection (Bruce Momjian) This might be the case if the server had crashed. Properly reset state after failure of a SQL command executed with psql's \g file (Tom Lane) Previously, the output from subsequent SQL commands would unexpectedly continue to go to the same file. Add a latex-longtable output format to psql (Bruce Momjian) This format allows tables to span multiple pages. Add a border=3 output mode to the psql latex format (Bruce Momjian) In psql's tuples-only and expanded output modes, no longer emit (No rows) for zero rows (Peter Eisentraut) In psql's unaligned, expanded output mode, no longer print an empty line for zero rows (Peter Eisentraut) Add pg_dump --jobs option to dump tables in parallel (Joachim Wieland) Make pg_dump output functions in a more predictable order (Joel Jacobson) Fix tar files emitted by pg_dump to be POSIX conformant (Brian Weaver, Tom Lane) Add --dbname option to pg_dump, for consistency with other client commands (Heikki Linnakangas) The database name could already be supplied last without a flag. Make initdb fsync the newly created data directory (Jeff Davis) This insures data integrity in event of a system crash shortly after initdb. This can be disabled by using --nosync. Add initdb --sync-only option to sync the data directory to durable storage (Bruce Momjian) This is used by pg_upgrade. Make initdb issue a warning about placing the data directory at the top of a file system mount point (Bruce Momjian) Add infrastructure to allow plug-in background worker processes (Álvaro Herrera) Create a centralized timeout API (Zoltán Böszörményi) Create libpgcommon and move pg_malloc() and other functions there (Álvaro Herrera, Andres Freund) This allows libpgport to be used solely for portability-related code. Add support for list links embedded in larger structs (Andres Freund) Use SA_RESTART for all signals, including SIGALRM (Tom Lane) Ensure that the correct text domain is used when translating errcontext() messages (Heikki Linnakangas) Standardize naming of client-side memory allocation functions (Tom Lane) Provide support for static assertions that will fail at compile time if some compile-time-constant condition is not met (Andres Freund, Tom Lane) Support Assert() in client-side code (Andrew Dunstan) Add decoration to inform the C compiler that some ereport() and elog() calls do not return (Peter Eisentraut, Andres Freund, Tom Lane, Heikki Linnakangas) Allow options to be passed to the regression test output comparison utility via PG_REGRESS_DIFF_OPTS (Peter Eisentraut) Add isolation tests for CREATE INDEX CONCURRENTLY (Abhijit Menon-Sen) Remove typedefs for int2/int4 as they are better represented as int16/int32 (Peter Eisentraut) Fix install-strip on Mac OS X (Peter Eisentraut) Remove configure flag --disable-shared, as it is no longer supported (Bruce Momjian) Rewrite pgindent in Perl (Andrew Dunstan) Provide Emacs macro to set Perl formatting to match PostgreSQL's perltidy settings (Peter Eisentraut) Run tool to check the keyword list whenever the backend grammar is changed (Tom Lane) Change the way UESCAPE is lexed, to significantly reduce the size of the lexer tables (Heikki Linnakangas) Centralize flex and bison make rules (Peter Eisentraut) This is useful for pgxs authors. Change many internal backend functions to return object OIDs rather than void (Dimitri Fontaine) This is useful for event triggers. Invent pre-commit/pre-prepare/pre-subcommit events for transaction callbacks (Tom Lane) Loadable modules that use transaction callbacks might need modification to handle these new event types. Add function pg_identify_object() to produce a machine-readable description of a database object (Álvaro Herrera) Add post-ALTER-object server hooks (KaiGai Kohei) Implement a generic binary heap and use it for Merge-Append operations (Abhijit Menon-Sen) Provide a tool to help detect timezone abbreviation changes when updating the src/timezone/data files (Tom Lane) Add pkg-config support for libpq and ecpg libraries (Peter Eisentraut) Remove src/tools/backend, now that the content is on the PostgreSQL wiki (Bruce Momjian) Split out WAL reading as an independent facility (Heikki Linnakangas, Andres Freund) Use a 64-bit integer to represent WAL positions (XLogRecPtr) instead of two 32-bit integers (Heikki Linnakangas) Generally, tools that need to read the WAL format will need to be adjusted. Allow PL/Python to support platform-specific include directories (Peter Eisentraut) Allow PL/Python on OS X to build against custom versions of Python (Peter Eisentraut) Add a Postgres foreign data wrapper contrib module to allow access to other Postgres servers (Shigeru Hanada) This foreign data wrapper supports writes. Add pg_xlogdump contrib program (Andres Freund) Add support for indexing of regular-expression searches in pg_trgm (Alexander Korotkov) Improve pg_trgm's handling of multibyte characters (Tom Lane) On a platform that does not have the wcstombs() or towlower() library functions, this could result in an incompatible change in the contents of pg_trgm indexes for non-ASCII data. In such cases, REINDEX those indexes to ensure correct search results. Add a pgstattuple function to report the size of the pending-insertions list of a GIN index (Fujii Masao) Make oid2name, pgbench, and vacuumlo set fallback_application_name (Amit Kapila) Improve output of pg_test_timing (Bruce Momjian) Improve output of pg_test_fsync (Peter Geoghegan) Create a dedicated foreign data wrapper, with its own option validator function, for dblink (Shigeru Hanada) When using this FDW to define the target of a dblink connection, instead of using a hard-wired list of connection options, the underlying libpq library is consulted to see what connection options it supports. Allow pg_upgrade to do dumps and restores in parallel (Bruce Momjian, Andrew Dunstan) This allows parallel schema dump/restore of databases, as well as parallel copy/link of data files per tablespace. Use the --jobs option to specify the level of parallelism. Make pg_upgrade create Unix-domain sockets in the current directory (Bruce Momjian, Tom Lane) This reduces the possibility that someone will accidentally connect during the upgrade. Make pg_upgrade --check mode properly detect the location of non-default socket directories (Bruce Momjian, Tom Lane) Improve performance of pg_upgrade for databases with many tables (Bruce Momjian) Improve pg_upgrade's logs by showing executed commands (Álvaro Herrera) Improve pg_upgrade's status display during copy/link (Bruce Momjian) Add --foreign-keys option to pgbench (Jeff Janes) This adds foreign key constraints to the standard tables created by pgbench, for use in foreign key performance testing. Allow pgbench to aggregate performance statistics and produce output every --aggregate-interval seconds (Tomas Vondra) Add pgbench --sampling-rate option to control the percentage of transactions logged (Tomas Vondra) Reduce and improve the status message output of pgbench's initialization mode (Robert Haas, Peter Eisentraut) Add pgbench -q mode to print one output line every five seconds (Tomas Vondra) Output pgbench elapsed and estimated remaining time during initialization (Tomas Vondra) Allow pgbench to use much larger scale factors, by changing relevant columns from integer to bigint when the requested scale factor exceeds 20000 (Greg Smith) Allow EPUB-format documentation to be created (Peter Eisentraut) Update FreeBSD kernel configuration documentation (Brad Davis) Improve WINDOW function documentation (Bruce Momjian, Florian Pflug) Add instructions for setting up the documentation tool chain on macOS (Peter Eisentraut) Improve commit_delay documentation (Peter Geoghegan)