1
1
<!-- doc/src/sgml/release-9.0.sgml -->
2
2
<!-- See header comment in release.sgml about typical markup -->
4
<sect1 id="release-9-0-19">
5
<title>Release 9.0.19</title>
8
<title>Release Date</title>
9
<simpara>2015-02-05</simpara>
13
This release contains a variety of fixes from 9.0.18.
14
For information about new features in the 9.0 major release, see
15
<xref linkend="release-9-0">.
19
<title>Migration to Version 9.0.19</title>
22
A dump/restore is not required for those running 9.0.X.
26
However, if you are upgrading from a version earlier than 9.0.18,
27
see <xref linkend="release-9-0-18">.
33
<title>Changes</title>
39
Fix buffer overruns in <function>to_char()</>
44
When <function>to_char()</> processes a numeric formatting template
45
calling for a large number of digits, <productname>PostgreSQL</>
46
would read past the end of a buffer. When processing a crafted
47
timestamp formatting template, <productname>PostgreSQL</> would write
48
past the end of a buffer. Either case could crash the server.
49
We have not ruled out the possibility of attacks that lead to
50
privilege escalation, though they seem unlikely.
57
Fix buffer overrun in replacement <function>*printf()</> functions
62
<productname>PostgreSQL</> includes a replacement implementation
63
of <function>printf</> and related functions. This code will overrun
64
a stack buffer when formatting a floating point number (conversion
65
specifiers <literal>e</>, <literal>E</>, <literal>f</>, <literal>F</>,
66
<literal>g</> or <literal>G</>) with requested precision greater than
67
about 500. This will crash the server, and we have not ruled out the
68
possibility of attacks that lead to privilege escalation.
69
A database user can trigger such a buffer overrun through
70
the <function>to_char()</> SQL function. While that is the only
71
affected core <productname>PostgreSQL</> functionality, extension
72
modules that use printf-family functions may be at risk as well.
76
This issue primarily affects <productname>PostgreSQL</> on Windows.
77
<productname>PostgreSQL</> uses the system implementation of these
78
functions where adequate, which it is on other modern platforms.
85
Fix buffer overruns in <filename>contrib/pgcrypto</>
86
(Marko Tiikkaja, Noah Misch)
90
Errors in memory size tracking within the <filename>pgcrypto</>
91
module permitted stack buffer overruns and improper dependence on the
92
contents of uninitialized memory. The buffer overrun cases can
93
crash the server, and we have not ruled out the possibility of
94
attacks that lead to privilege escalation.
101
Fix possible loss of frontend/backend protocol synchronization after
107
If any error occurred while the server was in the middle of reading a
108
protocol message from the client, it could lose synchronization and
109
incorrectly try to interpret part of the message's data as a new
110
protocol message. An attacker able to submit crafted binary data
111
within a command parameter might succeed in injecting his own SQL
112
commands this way. Statement timeout and query cancellation are the
113
most likely sources of errors triggering this scenario. Particularly
114
vulnerable are applications that use a timeout and also submit
115
arbitrary user-crafted data as binary query parameters. Disabling
116
statement timeout will reduce, but not eliminate, the risk of
117
exploit. Our thanks to Emil Lenngren for reporting this issue.
124
Fix information leak via constraint-violation error messages
129
Some server error messages show the values of columns that violate
130
a constraint, such as a unique constraint. If the user does not have
131
<literal>SELECT</> privilege on all columns of the table, this could
132
mean exposing values that the user should not be able to see. Adjust
133
the code so that values are displayed only when they came from the SQL
134
command or could be selected by the user.
141
Lock down regression testing's temporary installations on Windows
146
Use SSPI authentication to allow connections only from the OS user
147
who launched the test suite. This closes on Windows the same
148
vulnerability previously closed on other platforms, namely that other
149
users might be able to connect to the test postmaster.
156
Avoid possible data corruption if <command>ALTER DATABASE SET
157
TABLESPACE</> is used to move a database to a new tablespace and then
158
shortly later move it back to its original tablespace (Tom Lane)
164
Avoid corrupting tables when <command>ANALYZE</> inside a transaction
165
is rolled back (Andres Freund, Tom Lane, Michael Paquier)
169
If the failing transaction had earlier removed the last index, rule, or
170
trigger from the table, the table would be left in a corrupted state
171
with the relevant <structname>pg_class</> flags not set though they
178
Fix use-of-already-freed-memory problem in EvalPlanQual processing
183
In <literal>READ COMMITTED</> mode, queries that lock or update
184
recently-updated rows could crash as a result of this bug.
190
Fix planning of <command>SELECT FOR UPDATE</> when using a partial
191
index on a child table (Kyotaro Horiguchi)
195
In <literal>READ COMMITTED</> mode, <command>SELECT FOR UPDATE</> must
196
also recheck the partial index's <literal>WHERE</> condition when
197
rechecking a recently-updated row to see if it still satisfies the
198
query's <literal>WHERE</> condition. This requirement was missed if the
199
index belonged to an inheritance child table, so that it was possible
200
to incorrectly return rows that no longer satisfy the query condition.
206
Fix corner case wherein <command>SELECT FOR UPDATE</> could return a row
207
twice, and possibly miss returning other rows (Tom Lane)
211
In <literal>READ COMMITTED</> mode, a <command>SELECT FOR UPDATE</>
212
that is scanning an inheritance tree could incorrectly return a row
213
from a prior child table instead of the one it should return from a
220
Reject duplicate column names in the referenced-columns list of
221
a <literal>FOREIGN KEY</> declaration (David Rowley)
225
This restriction is per SQL standard. Previously we did not reject
226
the case explicitly, but later on the code would fail with
227
bizarre-looking errors.
233
Fix bugs in raising a <type>numeric</> value to a large integral power
238
The previous code could get a wrong answer, or consume excessive
239
amounts of time and memory before realizing that the answer must
246
In <function>numeric_recv()</>, truncate away any fractional digits
247
that would be hidden according to the value's <literal>dscale</> field
252
A <type>numeric</> value's display scale (<literal>dscale</>) should
253
never be less than the number of nonzero fractional digits; but
254
apparently there's at least one broken client application that
255
transmits binary <type>numeric</> values in which that's true.
256
This leads to strange behavior since the extra digits are taken into
257
account by arithmetic operations even though they aren't printed.
258
The least risky fix seems to be to truncate away such <quote>hidden</>
259
digits on receipt, so that the value is indeed what it prints as.
265
Reject out-of-range numeric timezone specifications (Tom Lane)
269
Simple numeric timezone specifications exceeding +/- 168 hours (one
270
week) would be accepted, but could then cause null-pointer dereference
271
crashes in certain operations. There's no use-case for such large UTC
272
offsets, so reject them.
278
Fix bugs in <type>tsquery</> <literal>@></> <type>tsquery</>
279
operator (Heikki Linnakangas)
283
Two different terms would be considered to match if they had the same
284
CRC. Also, if the second operand had more terms than the first, it
285
would be assumed not to be contained in the first; which is wrong
286
since it might contain duplicate terms.
292
Improve ispell dictionary's defenses against bad affix files (Tom Lane)
298
Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
302
The previous coding could crash on an oversize dictionary, so this was
303
deemed a back-patchable bug fix rather than a feature addition.
309
Fix namespace handling in <function>xpath()</> (Ali Akbar)
313
Previously, the <type>xml</> value resulting from
314
an <function>xpath()</> call would not have namespace declarations if
315
the namespace declarations were attached to an ancestor element in the
316
input <type>xml</> value, rather than to the specific element being
317
returned. Propagate the ancestral declaration so that the result is
318
correct when considered in isolation.
324
Fix planner problems with nested append relations, such as inherited
325
tables within <literal>UNION ALL</> subqueries (Tom Lane)
331
Fail cleanly when a GiST index tuple doesn't fit on a page, rather
332
than going into infinite recursion (Andrew Gierth)
338
Exempt tables that have per-table <varname>cost_limit</>
339
and/or <varname>cost_delay</> settings from autovacuum's global cost
340
balancing rules (Álvaro Herrera)
344
The previous behavior resulted in basically ignoring these per-table
345
settings, which was unintended. Now, a table having such settings
346
will be vacuumed using those settings, independently of what is going
347
on in other autovacuum workers. This may result in heavier total I/O
348
load than before, so such settings should be re-examined for sanity.
354
Avoid wholesale autovacuuming when autovacuum is nominally off
359
Even when autovacuum is nominally off, we will still launch autovacuum
360
worker processes to vacuum tables that are at risk of XID wraparound.
361
However, such a worker process then proceeded to vacuum all tables in
362
the target database, if they met the usual thresholds for
363
autovacuuming. This is at best pretty unexpected; at worst it delays
364
response to the wraparound threat. Fix it so that if autovacuum is
365
turned off, workers <emphasis>only</> do anti-wraparound vacuums and
372
Fix race condition between hot standby queries and replaying a
373
full-page image (Heikki Linnakangas)
377
This mistake could result in transient errors in queries being
378
executed in hot standby.
384
Fix several cases where recovery logic improperly ignored WAL records
385
for <literal>COMMIT/ABORT PREPARED</> (Heikki Linnakangas)
389
The most notable oversight was
390
that <varname>recovery_min_apply_delay</> failed to delay application
391
of a two-phase commit.
397
Avoid creating unnecessary <filename>.ready</> marker files for
398
timeline history files (Fujii Masao)
404
Fix possible null pointer dereference when an empty prepared statement
405
is used and the <varname>log_statement</> setting is <literal>mod</>
406
or <literal>ddl</> (Fujii Masao)
412
Change <quote>pgstat wait timeout</> warning message to be LOG level,
413
and rephrase it to be more understandable (Tom Lane)
417
This message was originally thought to be essentially a can't-happen
418
case, but it occurs often enough on our slower buildfarm members to be
419
a nuisance. Reduce it to LOG level, and expend a bit more effort on
420
the wording: it now reads <quote>using stale statistics instead of
421
current ones because stats collector is not responding</>.
427
Fix SPARC spinlock implementation to ensure correctness if the CPU is
428
being run in a non-TSO coherency mode, as some non-Solaris kernels do
435
Warn if OS X's <function>setlocale()</> starts an unwanted extra
436
thread inside the postmaster (Noah Misch)
442
Fix processing of repeated <literal>dbname</> parameters
443
in <function>PQconnectdbParams()</> (Alex Shulgin)
447
Unexpected behavior ensued if the first occurrence
448
of <literal>dbname</> contained a connection string or URI to be
455
Ensure that <application>libpq</> reports a suitable error message on
456
unexpected socket EOF (Marko Tiikkaja, Tom Lane)
460
Depending on kernel behavior, <application>libpq</> might return an
461
empty error string rather than something useful when the server
462
unexpectedly closed the socket.
468
Clear any old error message during <function>PQreset()</>
473
If <function>PQreset()</> is called repeatedly, and the connection
474
cannot be re-established, error messages from the failed connection
475
attempts kept accumulating in the <structname>PGconn</>'s error
482
Properly handle out-of-memory conditions while parsing connection
483
options in <application>libpq</> (Alex Shulgin, Heikki Linnakangas)
489
Fix array overrun in <application>ecpg</>'s version
490
of <function>ParseDateTime()</> (Michael Paquier)
496
In <application>initdb</>, give a clearer error message if a password
497
file is specified but is empty (Mats Erik Andersson)
503
Fix <application>psql</>'s <command>\s</> command to work nicely with
504
libedit, and add pager support (Stepan Rutz, Tom Lane)
508
When using libedit rather than readline, <command>\s</> printed the
509
command history in a fairly unreadable encoded format, and on recent
510
libedit versions might fail altogether. Fix that by printing the
511
history ourselves rather than having the library do it. A pleasant
512
side-effect is that the pager is used if appropriate.
516
This patch also fixes a bug that caused newline encoding to be applied
517
inconsistently when saving the command history with libedit.
518
Multiline history entries written by older <application>psql</>
519
versions will be read cleanly with this patch, but perhaps not
520
vice versa, depending on the exact libedit versions involved.
526
Improve consistency of parsing of <application>psql</>'s special
531
Allow variant spellings of <literal>on</> and <literal>off</> (such
532
as <literal>1</>/<literal>0</>) for <literal>ECHO_HIDDEN</>
533
and <literal>ON_ERROR_ROLLBACK</>. Report a warning for unrecognized
534
values for <literal>COMP_KEYWORD_CASE</>, <literal>ECHO</>,
535
<literal>ECHO_HIDDEN</>, <literal>HISTCONTROL</>,
536
<literal>ON_ERROR_ROLLBACK</>, and <literal>VERBOSITY</>. Recognize
537
all values for all these variables case-insensitively; previously
538
there was a mishmash of case-sensitive and case-insensitive behaviors.
544
Fix <application>psql</>'s expanded-mode display to work
545
consistently when using <literal>border</> = 3
546
and <literal>linestyle</> = <literal>ascii</> or <literal>unicode</>
553
Fix possible deadlock during parallel restore of a schema-only dump
554
(Robert Haas, Tom Lane)
560
Fix core dump in <literal>pg_dump --binary-upgrade</> on zero-column
561
composite type (Rushabh Lathia)
567
Fix block number checking
568
in <filename>contrib/pageinspect</>'s <function>get_raw_page()</>
573
The incorrect checking logic could prevent access to some pages in
574
non-main relation forks.
580
Fix <filename>contrib/pgcrypto</>'s <function>pgp_sym_decrypt()</>
581
to not fail on messages whose length is 6 less than a power of 2
588
Handle unexpected query results, especially NULLs, safely in
589
<filename>contrib/tablefunc</>'s <function>connectby()</>
594
<function>connectby()</> previously crashed if it encountered a NULL
595
key value. It now prints that row but doesn't recurse further.
601
Avoid a possible crash in <filename>contrib/xml2</>'s
602
<function>xslt_process()</> (Mark Simonetti)
606
<application>libxslt</> seems to have an undocumented dependency on
607
the order in which resources are freed; reorder our calls to avoid a
614
Numerous cleanups of warnings from Coverity static code analyzer
615
(Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
619
These changes are mostly cosmetic but in some cases fix corner-case
620
bugs, for example a crash rather than a proper error report after an
621
out-of-memory failure. None are believed to represent security
628
Detect incompatible OpenLDAP versions during build (Noah Misch)
632
With OpenLDAP versions 2.4.24 through 2.4.31,
633
inclusive, <productname>PostgreSQL</> backends can crash at exit.
634
Raise a warning during <application>configure</> based on the
635
compile-time OpenLDAP version number, and test the crashing scenario
636
in the <filename>contrib/dblink</> regression test.
642
In non-MSVC Windows builds, ensure <filename>libpq.dll</> is installed
643
with execute permissions (Noah Misch)
649
Make <application>pg_regress</> remove any temporary installation it
650
created upon successful exit (Tom Lane)
654
This results in a very substantial reduction in disk space usage
655
during <literal>make check-world</>, since that sequence involves
656
creation of numerous temporary installations.
662
Support time zone abbreviations that change UTC offset from time to
667
Previously, <productname>PostgreSQL</> assumed that the UTC offset
668
associated with a time zone abbreviation (such as <literal>EST</>)
669
never changes in the usage of any particular locale. However this
670
assumption fails in the real world, so introduce the ability for a
671
zone abbreviation to represent a UTC offset that sometimes changes.
672
Update the zone abbreviation definition files to make use of this
673
feature in timezone locales that have changed the UTC offset of their
674
abbreviations since 1970 (according to the IANA timezone database).
675
In such timezones, <productname>PostgreSQL</> will now associate the
676
correct UTC offset with the abbreviation depending on the given date.
682
Update time zone abbreviations lists (Tom Lane)
686
Add CST (China Standard Time) to our lists.
687
Remove references to ADT as <quote>Arabia Daylight Time</>, an
688
abbreviation that's been out of use since 2007; therefore, claiming
689
there is a conflict with <quote>Atlantic Daylight Time</> doesn't seem
691
Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST
692
(Fiji); we didn't even have them on the proper side of the date line.
698
Update time zone data files to <application>tzdata</> release 2015a.
702
The IANA timezone database has adopted abbreviations of the form
703
<literal>A<replaceable>x</>ST</literal>/<literal>A<replaceable>x</>DT</literal>
704
for all Australian time zones, reflecting what they believe to be
705
current majority practice Down Under. These names do not conflict
706
with usage elsewhere (other than ACST for Acre Summer Time, which has
707
been in disuse since 1994). Accordingly, adopt these names into
708
our <quote>Default</> timezone abbreviation set.
709
The <quote>Australia</> abbreviation set now contains only CST, EAST,
710
EST, SAST, SAT, and WST, all of which are thought to be mostly
711
historical usage. Note that SAST has also been changed to be South
712
Africa Standard Time in the <quote>Default</> abbreviation set.
716
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT
717
(Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were
718
DST law changes in Chile, Mexico, the Turks & Caicos Islands
719
(America/Grand_Turk), and Fiji. There is a new zone
720
Pacific/Bougainville for portions of Papua New Guinea. Also, numerous
721
corrections for historical (pre-1970) time zone data.
730
<sect1 id="release-9-0-18">
731
<title>Release 9.0.18</title>
734
<title>Release Date</title>
735
<simpara>2014-07-24</simpara>
739
This release contains a variety of fixes from 9.0.17.
740
For information about new features in the 9.0 major release, see
741
<xref linkend="release-9-0">.
745
<title>Migration to Version 9.0.18</title>
748
A dump/restore is not required for those running 9.0.X.
752
However, this release corrects an index corruption problem in some GiST
753
indexes. See the first changelog entry below to find out whether your
754
installation has been affected and what steps you should take if so.
758
Also, if you are upgrading from a version earlier than 9.0.15,
759
see <xref linkend="release-9-0-15">.
765
<title>Changes</title>
771
Correctly initialize padding bytes in <filename>contrib/btree_gist</>
772
indexes on <type>bit</> columns (Heikki Linnakangas)
776
This error could result in incorrect query results due to values that
777
should compare equal not being seen as equal.
778
Users with GiST indexes on <type>bit</> or <type>bit varying</>
779
columns should <command>REINDEX</> those indexes after installing this
786
Protect against torn pages when deleting GIN list pages (Heikki
791
This fix prevents possible index corruption if a system crash occurs
792
while the page update is being written to disk.
798
Don't clear the right-link of a GiST index page while replaying
799
updates from WAL (Heikki Linnakangas)
803
This error could lead to transiently wrong answers from GiST index
804
scans performed in Hot Standby.
810
Fix possibly-incorrect cache invalidation during nested calls
811
to <function>ReceiveSharedInvalidMessages</> (Andres Freund)
817
Don't assume a subquery's output is unique if there's a set-returning
818
function in its targetlist (David Rowley)
822
This oversight could lead to misoptimization of constructs
823
like <literal>WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP
830
Fix failure to detoast fields in composite elements of structured
835
This corrects cases where TOAST pointers could be copied into other
836
tables without being dereferenced. If the original data is later
837
deleted, it would lead to errors like <quote>missing chunk number 0
838
for toast value ...</> when the now-dangling pointer is used.
844
Fix <quote>record type has not been registered</> failures with
845
whole-row references to the output of Append plan nodes (Tom Lane)
851
Fix possible crash when invoking a user-defined function while
852
rewinding a cursor (Tom Lane)
858
Fix query-lifespan memory leak while evaluating the arguments for a
859
function in <literal>FROM</> (Tom Lane)
865
Fix session-lifespan memory leaks in regular-expression processing
866
(Tom Lane, Arthur O'Dwyer, Greg Stark)
872
Fix data encoding error in <filename>hungarian.stop</> (Tom Lane)
878
Fix liveness checks for rows that were inserted in the current
879
transaction and then deleted by a now-rolled-back subtransaction
884
This could cause problems (at least spurious warnings, and at worst an
885
infinite loop) if <command>CREATE INDEX</> or <command>CLUSTER</> were
886
done later in the same transaction.
892
Clear <structname>pg_stat_activity</>.<structfield>xact_start</>
893
during <command>PREPARE TRANSACTION</> (Andres Freund)
897
After the <command>PREPARE</>, the originating session is no longer in
898
a transaction, so it should not continue to display a transaction
905
Fix <command>REASSIGN OWNED</> to not fail for text search objects
906
(Álvaro Herrera)
912
Block signals during postmaster startup (Tom Lane)
916
This ensures that the postmaster will properly clean up after itself
917
if, for example, it receives <systemitem>SIGINT</> while still
924
Secure Unix-domain sockets of temporary postmasters started during
925
<literal>make check</> (Noah Misch)
929
Any local user able to access the socket file could connect as the
930
server's bootstrap superuser, then proceed to execute arbitrary code as
931
the operating-system user running the test, as we previously noted in
932
CVE-2014-0067. This change defends against that risk by placing the
933
server's socket in a temporary, mode 0700 subdirectory
934
of <filename>/tmp</>. The hazard remains however on platforms where
935
Unix sockets are not supported, notably Windows, because then the
936
temporary postmaster must accept local TCP connections.
940
A useful side effect of this change is to simplify
941
<literal>make check</> testing in builds that
942
override <literal>DEFAULT_PGSOCKET_DIR</>. Popular non-default values
943
like <filename>/var/run/postgresql</> are often not writable by the
944
build user, requiring workarounds that will no longer be necessary.
950
Fix tablespace creation WAL replay to work on Windows (MauMau)
956
Fix detection of socket creation failures on Windows (Bruce Momjian)
962
On Windows, allow new sessions to absorb values of PGC_BACKEND
963
parameters (such as <xref linkend="guc-log-connections">) from the
964
configuration file (Amit Kapila)
968
Previously, if such a parameter were changed in the file post-startup,
969
the change would have no effect.
975
Properly quote executable path names on Windows (Nikhil Deshpande)
979
This oversight could cause <application>initdb</>
980
and <application>pg_upgrade</> to fail on Windows, if the installation
981
path contained both spaces and <literal>@</> signs.
987
Fix linking of <application>libpython</> on OS X (Tom Lane)
991
The method we previously used can fail with the Python library
992
supplied by Xcode 5.0 and later.
998
Avoid buffer bloat in <application>libpq</> when the server
999
consistently sends data faster than the client can absorb it
1000
(Shin-ichi Morita, Tom Lane)
1004
<application>libpq</> could be coerced into enlarging its input buffer
1005
until it runs out of memory (which would be reported misleadingly
1006
as <quote>lost synchronization with server</>). Under ordinary
1007
circumstances it's quite far-fetched that data could be continuously
1008
transmitted more quickly than the <function>recv()</> loop can
1009
absorb it, but this has been observed when the client is artificially
1010
slowed by scheduler constraints.
1016
Ensure that LDAP lookup attempts in <application>libpq</> time out as
1017
intended (Laurenz Albe)
1023
Fix <application>ecpg</> to do the right thing when an array
1024
of <type>char *</> is the target for a FETCH statement returning more
1025
than one row, as well as some other array-handling fixes
1032
Fix <application>pg_restore</>'s processing of old-style large object
1037
A direct-to-database restore from an archive file generated by a
1038
pre-9.0 version of <application>pg_dump</> would usually fail if the
1039
archive contained more than a few comments for large objects.
1045
In <filename>contrib/pgcrypto</> functions, ensure sensitive
1046
information is cleared from stack variables before returning
1053
In <filename>contrib/uuid-ossp</>, cache the state of the OSSP UUID
1054
library across calls (Tom Lane)
1058
This improves the efficiency of UUID generation and reduces the amount
1059
of entropy drawn from <filename>/dev/urandom</>, on platforms that
1066
Update time zone data files to <application>tzdata</> release 2014e
1067
for DST law changes in Crimea, Egypt, and Morocco.
4
1076
<sect1 id="release-9-0-17">
5
1077
<title>Release 9.0.17</title>