1
1
<!-- doc/src/sgml/release-9.2.sgml -->
2
2
<!-- See header comment in release.sgml about typical markup -->
4
<sect1 id="release-9-2-10">
5
<title>Release 9.2.10</title>
8
<title>Release Date</title>
9
<simpara>2015-02-05</simpara>
13
This release contains a variety of fixes from 9.2.9.
14
For information about new features in the 9.2 major release, see
15
<xref linkend="release-9-2">.
19
<title>Migration to Version 9.2.10</title>
22
A dump/restore is not required for those running 9.2.X.
26
However, if you are a Windows user and are using the <quote>Norwegian
27
(Bokmål)</> locale, manual action is needed after the upgrade to
28
replace any <quote>Norwegian (Bokmål)_Norway</> locale names stored
29
in <productname>PostgreSQL</> system catalogs with the plain-ASCII
30
alias <quote>Norwegian_Norway</>. For details see
31
<ulink url="http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale"></>
35
Also, if you are upgrading from a version earlier than 9.2.9,
36
see <xref linkend="release-9-2-9">.
42
<title>Changes</title>
48
Fix buffer overruns in <function>to_char()</>
53
When <function>to_char()</> processes a numeric formatting template
54
calling for a large number of digits, <productname>PostgreSQL</>
55
would read past the end of a buffer. When processing a crafted
56
timestamp formatting template, <productname>PostgreSQL</> would write
57
past the end of a buffer. Either case could crash the server.
58
We have not ruled out the possibility of attacks that lead to
59
privilege escalation, though they seem unlikely.
66
Fix buffer overrun in replacement <function>*printf()</> functions
71
<productname>PostgreSQL</> includes a replacement implementation
72
of <function>printf</> and related functions. This code will overrun
73
a stack buffer when formatting a floating point number (conversion
74
specifiers <literal>e</>, <literal>E</>, <literal>f</>, <literal>F</>,
75
<literal>g</> or <literal>G</>) with requested precision greater than
76
about 500. This will crash the server, and we have not ruled out the
77
possibility of attacks that lead to privilege escalation.
78
A database user can trigger such a buffer overrun through
79
the <function>to_char()</> SQL function. While that is the only
80
affected core <productname>PostgreSQL</> functionality, extension
81
modules that use printf-family functions may be at risk as well.
85
This issue primarily affects <productname>PostgreSQL</> on Windows.
86
<productname>PostgreSQL</> uses the system implementation of these
87
functions where adequate, which it is on other modern platforms.
94
Fix buffer overruns in <filename>contrib/pgcrypto</>
95
(Marko Tiikkaja, Noah Misch)
99
Errors in memory size tracking within the <filename>pgcrypto</>
100
module permitted stack buffer overruns and improper dependence on the
101
contents of uninitialized memory. The buffer overrun cases can
102
crash the server, and we have not ruled out the possibility of
103
attacks that lead to privilege escalation.
110
Fix possible loss of frontend/backend protocol synchronization after
116
If any error occurred while the server was in the middle of reading a
117
protocol message from the client, it could lose synchronization and
118
incorrectly try to interpret part of the message's data as a new
119
protocol message. An attacker able to submit crafted binary data
120
within a command parameter might succeed in injecting his own SQL
121
commands this way. Statement timeout and query cancellation are the
122
most likely sources of errors triggering this scenario. Particularly
123
vulnerable are applications that use a timeout and also submit
124
arbitrary user-crafted data as binary query parameters. Disabling
125
statement timeout will reduce, but not eliminate, the risk of
126
exploit. Our thanks to Emil Lenngren for reporting this issue.
133
Fix information leak via constraint-violation error messages
138
Some server error messages show the values of columns that violate
139
a constraint, such as a unique constraint. If the user does not have
140
<literal>SELECT</> privilege on all columns of the table, this could
141
mean exposing values that the user should not be able to see. Adjust
142
the code so that values are displayed only when they came from the SQL
143
command or could be selected by the user.
150
Lock down regression testing's temporary installations on Windows
155
Use SSPI authentication to allow connections only from the OS user
156
who launched the test suite. This closes on Windows the same
157
vulnerability previously closed on other platforms, namely that other
158
users might be able to connect to the test postmaster.
165
Cope with the Windows locale named <quote>Norwegian (Bokmål)</>
170
Non-ASCII locale names are problematic since it's not clear what
171
encoding they should be represented in. Map the troublesome locale
172
name to a plain-ASCII alias, <quote>Norwegian_Norway</>.
178
Avoid possible data corruption if <command>ALTER DATABASE SET
179
TABLESPACE</> is used to move a database to a new tablespace and then
180
shortly later move it back to its original tablespace (Tom Lane)
186
Avoid corrupting tables when <command>ANALYZE</> inside a transaction
187
is rolled back (Andres Freund, Tom Lane, Michael Paquier)
191
If the failing transaction had earlier removed the last index, rule, or
192
trigger from the table, the table would be left in a corrupted state
193
with the relevant <structname>pg_class</> flags not set though they
200
Ensure that unlogged tables are copied correctly
201
during <command>CREATE DATABASE</> or <command>ALTER DATABASE SET
202
TABLESPACE</> (Pavan Deolasee, Andres Freund)
208
Fix <command>DROP</>'s dependency searching to correctly handle the
209
case where a table column is recursively visited before its table
210
(Petr Jelinek, Tom Lane)
214
This case is only known to arise when an extension creates both a
215
datatype and a table using that datatype. The faulty code might
216
refuse a <command>DROP EXTENSION</> unless <literal>CASCADE</> is
217
specified, which should not be required.
223
Fix use-of-already-freed-memory problem in EvalPlanQual processing
228
In <literal>READ COMMITTED</> mode, queries that lock or update
229
recently-updated rows could crash as a result of this bug.
235
Fix planning of <command>SELECT FOR UPDATE</> when using a partial
236
index on a child table (Kyotaro Horiguchi)
240
In <literal>READ COMMITTED</> mode, <command>SELECT FOR UPDATE</> must
241
also recheck the partial index's <literal>WHERE</> condition when
242
rechecking a recently-updated row to see if it still satisfies the
243
query's <literal>WHERE</> condition. This requirement was missed if the
244
index belonged to an inheritance child table, so that it was possible
245
to incorrectly return rows that no longer satisfy the query condition.
251
Fix corner case wherein <command>SELECT FOR UPDATE</> could return a row
252
twice, and possibly miss returning other rows (Tom Lane)
256
In <literal>READ COMMITTED</> mode, a <command>SELECT FOR UPDATE</>
257
that is scanning an inheritance tree could incorrectly return a row
258
from a prior child table instead of the one it should return from a
265
Reject duplicate column names in the referenced-columns list of
266
a <literal>FOREIGN KEY</> declaration (David Rowley)
270
This restriction is per SQL standard. Previously we did not reject
271
the case explicitly, but later on the code would fail with
272
bizarre-looking errors.
278
Restore previous behavior of conversion of domains to JSON
283
This change causes domains over numeric and boolean to be treated
284
like their base types for purposes of conversion to JSON. It worked
285
like that before 9.3.5 and 9.2.9, but was unintentionally changed
286
while fixing a related problem.
292
Fix bugs in raising a <type>numeric</> value to a large integral power
297
The previous code could get a wrong answer, or consume excessive
298
amounts of time and memory before realizing that the answer must
305
In <function>numeric_recv()</>, truncate away any fractional digits
306
that would be hidden according to the value's <literal>dscale</> field
311
A <type>numeric</> value's display scale (<literal>dscale</>) should
312
never be less than the number of nonzero fractional digits; but
313
apparently there's at least one broken client application that
314
transmits binary <type>numeric</> values in which that's true.
315
This leads to strange behavior since the extra digits are taken into
316
account by arithmetic operations even though they aren't printed.
317
The least risky fix seems to be to truncate away such <quote>hidden</>
318
digits on receipt, so that the value is indeed what it prints as.
324
Fix incorrect search for shortest-first regular expression matches
329
Matching would often fail when the number of allowed iterations is
330
limited by a <literal>?</> quantifier or a bound expression.
336
Reject out-of-range numeric timezone specifications (Tom Lane)
340
Simple numeric timezone specifications exceeding +/- 168 hours (one
341
week) would be accepted, but could then cause null-pointer dereference
342
crashes in certain operations. There's no use-case for such large UTC
343
offsets, so reject them.
349
Fix bugs in <type>tsquery</> <literal>@></> <type>tsquery</>
350
operator (Heikki Linnakangas)
354
Two different terms would be considered to match if they had the same
355
CRC. Also, if the second operand had more terms than the first, it
356
would be assumed not to be contained in the first; which is wrong
357
since it might contain duplicate terms.
363
Improve ispell dictionary's defenses against bad affix files (Tom Lane)
369
Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
373
The previous coding could crash on an oversize dictionary, so this was
374
deemed a back-patchable bug fix rather than a feature addition.
380
Fix namespace handling in <function>xpath()</> (Ali Akbar)
384
Previously, the <type>xml</> value resulting from
385
an <function>xpath()</> call would not have namespace declarations if
386
the namespace declarations were attached to an ancestor element in the
387
input <type>xml</> value, rather than to the specific element being
388
returned. Propagate the ancestral declaration so that the result is
389
correct when considered in isolation.
395
Ensure that whole-row variables expose nonempty column names
396
to functions that pay attention to column names within composite
401
In some contexts, constructs like <literal>row_to_json(tab.*)</> may
402
not produce the expected column names. This is fixed properly as of
403
9.4; in older branches, just ensure that we produce some nonempty
404
name. (In some cases this will be the underlying table's column name
405
rather than the query-assigned alias that should theoretically be
412
Fix mishandling of system columns,
413
particularly <structfield>tableoid</>, in FDW queries (Etsuro Fujita)
419
Avoid doing <literal><replaceable>indexed_column</> = ANY
420
(<replaceable>array</>)</literal> as an index qualifier if that leads
421
to an inferior plan (Andrew Gierth)
425
In some cases, <literal>= ANY</> conditions applied to non-first index
426
columns would be done as index conditions even though it would be
427
better to use them as simple filter conditions.
433
Fix planner problems with nested append relations, such as inherited
434
tables within <literal>UNION ALL</> subqueries (Tom Lane)
440
Fail cleanly when a GiST index tuple doesn't fit on a page, rather
441
than going into infinite recursion (Andrew Gierth)
447
Exempt tables that have per-table <varname>cost_limit</>
448
and/or <varname>cost_delay</> settings from autovacuum's global cost
449
balancing rules (Álvaro Herrera)
453
The previous behavior resulted in basically ignoring these per-table
454
settings, which was unintended. Now, a table having such settings
455
will be vacuumed using those settings, independently of what is going
456
on in other autovacuum workers. This may result in heavier total I/O
457
load than before, so such settings should be re-examined for sanity.
463
Avoid wholesale autovacuuming when autovacuum is nominally off
468
Even when autovacuum is nominally off, we will still launch autovacuum
469
worker processes to vacuum tables that are at risk of XID wraparound.
470
However, such a worker process then proceeded to vacuum all tables in
471
the target database, if they met the usual thresholds for
472
autovacuuming. This is at best pretty unexpected; at worst it delays
473
response to the wraparound threat. Fix it so that if autovacuum is
474
turned off, workers <emphasis>only</> do anti-wraparound vacuums and
481
During crash recovery, ensure that unlogged relations are rewritten as
482
empty and are synced to disk before recovery is considered complete
483
(Abhijit Menon-Sen, Andres Freund)
487
This prevents scenarios in which unlogged relations might contain
488
garbage data following database crash recovery.
494
Fix race condition between hot standby queries and replaying a
495
full-page image (Heikki Linnakangas)
499
This mistake could result in transient errors in queries being
500
executed in hot standby.
506
Fix several cases where recovery logic improperly ignored WAL records
507
for <literal>COMMIT/ABORT PREPARED</> (Heikki Linnakangas)
511
The most notable oversight was
512
that <varname>recovery_min_apply_delay</> failed to delay application
513
of a two-phase commit.
519
Prevent latest WAL file from being archived a second time at completion
520
of crash recovery (Fujii Masao)
526
Avoid creating unnecessary <filename>.ready</> marker files for
527
timeline history files (Fujii Masao)
533
Fix possible null pointer dereference when an empty prepared statement
534
is used and the <varname>log_statement</> setting is <literal>mod</>
535
or <literal>ddl</> (Fujii Masao)
541
Change <quote>pgstat wait timeout</> warning message to be LOG level,
542
and rephrase it to be more understandable (Tom Lane)
546
This message was originally thought to be essentially a can't-happen
547
case, but it occurs often enough on our slower buildfarm members to be
548
a nuisance. Reduce it to LOG level, and expend a bit more effort on
549
the wording: it now reads <quote>using stale statistics instead of
550
current ones because stats collector is not responding</>.
556
Fix SPARC spinlock implementation to ensure correctness if the CPU is
557
being run in a non-TSO coherency mode, as some non-Solaris kernels do
564
Warn if OS X's <function>setlocale()</> starts an unwanted extra
565
thread inside the postmaster (Noah Misch)
571
Fix processing of repeated <literal>dbname</> parameters
572
in <function>PQconnectdbParams()</> (Alex Shulgin)
576
Unexpected behavior ensued if the first occurrence
577
of <literal>dbname</> contained a connection string or URI to be
584
Ensure that <application>libpq</> reports a suitable error message on
585
unexpected socket EOF (Marko Tiikkaja, Tom Lane)
589
Depending on kernel behavior, <application>libpq</> might return an
590
empty error string rather than something useful when the server
591
unexpectedly closed the socket.
597
Clear any old error message during <function>PQreset()</>
602
If <function>PQreset()</> is called repeatedly, and the connection
603
cannot be re-established, error messages from the failed connection
604
attempts kept accumulating in the <structname>PGconn</>'s error
611
Properly handle out-of-memory conditions while parsing connection
612
options in <application>libpq</> (Alex Shulgin, Heikki Linnakangas)
618
Fix array overrun in <application>ecpg</>'s version
619
of <function>ParseDateTime()</> (Michael Paquier)
625
In <application>initdb</>, give a clearer error message if a password
626
file is specified but is empty (Mats Erik Andersson)
632
Fix <application>psql</>'s <command>\s</> command to work nicely with
633
libedit, and add pager support (Stepan Rutz, Tom Lane)
637
When using libedit rather than readline, <command>\s</> printed the
638
command history in a fairly unreadable encoded format, and on recent
639
libedit versions might fail altogether. Fix that by printing the
640
history ourselves rather than having the library do it. A pleasant
641
side-effect is that the pager is used if appropriate.
645
This patch also fixes a bug that caused newline encoding to be applied
646
inconsistently when saving the command history with libedit.
647
Multiline history entries written by older <application>psql</>
648
versions will be read cleanly with this patch, but perhaps not
649
vice versa, depending on the exact libedit versions involved.
655
Improve consistency of parsing of <application>psql</>'s special
660
Allow variant spellings of <literal>on</> and <literal>off</> (such
661
as <literal>1</>/<literal>0</>) for <literal>ECHO_HIDDEN</>
662
and <literal>ON_ERROR_ROLLBACK</>. Report a warning for unrecognized
663
values for <literal>COMP_KEYWORD_CASE</>, <literal>ECHO</>,
664
<literal>ECHO_HIDDEN</>, <literal>HISTCONTROL</>,
665
<literal>ON_ERROR_ROLLBACK</>, and <literal>VERBOSITY</>. Recognize
666
all values for all these variables case-insensitively; previously
667
there was a mishmash of case-sensitive and case-insensitive behaviors.
673
Fix <application>psql</>'s expanded-mode display to work
674
consistently when using <literal>border</> = 3
675
and <literal>linestyle</> = <literal>ascii</> or <literal>unicode</>
682
Improve performance of <application>pg_dump</> when the database
683
contains many instances of multiple dependency paths between the same
684
two objects (Tom Lane)
690
Fix <application>pg_dumpall</> to restore its ability to dump from
691
pre-8.1 servers (Gilles Darold)
697
Fix possible deadlock during parallel restore of a schema-only dump
698
(Robert Haas, Tom Lane)
704
Fix core dump in <literal>pg_dump --binary-upgrade</> on zero-column
705
composite type (Rushabh Lathia)
711
Prevent WAL files created by <literal>pg_basebackup -x/-X</> from
712
being archived again when the standby is promoted (Andres Freund)
718
Fix failure of <filename>contrib/auto_explain</> to print per-node
719
timing information when doing <command>EXPLAIN ANALYZE</> (Tom Lane)
725
Fix upgrade-from-unpackaged script for <filename>contrib/citext</>
732
Fix block number checking
733
in <filename>contrib/pageinspect</>'s <function>get_raw_page()</>
738
The incorrect checking logic could prevent access to some pages in
739
non-main relation forks.
745
Fix <filename>contrib/pgcrypto</>'s <function>pgp_sym_decrypt()</>
746
to not fail on messages whose length is 6 less than a power of 2
753
Fix file descriptor leak in <filename>contrib/pg_test_fsync</>
758
This could cause failure to remove temporary files on Windows.
764
Handle unexpected query results, especially NULLs, safely in
765
<filename>contrib/tablefunc</>'s <function>connectby()</>
770
<function>connectby()</> previously crashed if it encountered a NULL
771
key value. It now prints that row but doesn't recurse further.
777
Avoid a possible crash in <filename>contrib/xml2</>'s
778
<function>xslt_process()</> (Mark Simonetti)
782
<application>libxslt</> seems to have an undocumented dependency on
783
the order in which resources are freed; reorder our calls to avoid a
790
Mark some <filename>contrib</> I/O functions with correct volatility
791
properties (Tom Lane)
795
The previous over-conservative marking was immaterial in normal use,
796
but could cause optimization problems or rejection of valid index
797
expression definitions. Since the consequences are not large, we've
798
just adjusted the function definitions in the extension modules'
799
scripts, without changing version numbers.
805
Numerous cleanups of warnings from Coverity static code analyzer
806
(Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
810
These changes are mostly cosmetic but in some cases fix corner-case
811
bugs, for example a crash rather than a proper error report after an
812
out-of-memory failure. None are believed to represent security
819
Detect incompatible OpenLDAP versions during build (Noah Misch)
823
With OpenLDAP versions 2.4.24 through 2.4.31,
824
inclusive, <productname>PostgreSQL</> backends can crash at exit.
825
Raise a warning during <application>configure</> based on the
826
compile-time OpenLDAP version number, and test the crashing scenario
827
in the <filename>contrib/dblink</> regression test.
833
In non-MSVC Windows builds, ensure <filename>libpq.dll</> is installed
834
with execute permissions (Noah Misch)
840
Make <application>pg_regress</> remove any temporary installation it
841
created upon successful exit (Tom Lane)
845
This results in a very substantial reduction in disk space usage
846
during <literal>make check-world</>, since that sequence involves
847
creation of numerous temporary installations.
853
Support time zone abbreviations that change UTC offset from time to
858
Previously, <productname>PostgreSQL</> assumed that the UTC offset
859
associated with a time zone abbreviation (such as <literal>EST</>)
860
never changes in the usage of any particular locale. However this
861
assumption fails in the real world, so introduce the ability for a
862
zone abbreviation to represent a UTC offset that sometimes changes.
863
Update the zone abbreviation definition files to make use of this
864
feature in timezone locales that have changed the UTC offset of their
865
abbreviations since 1970 (according to the IANA timezone database).
866
In such timezones, <productname>PostgreSQL</> will now associate the
867
correct UTC offset with the abbreviation depending on the given date.
873
Update time zone abbreviations lists (Tom Lane)
877
Add CST (China Standard Time) to our lists.
878
Remove references to ADT as <quote>Arabia Daylight Time</>, an
879
abbreviation that's been out of use since 2007; therefore, claiming
880
there is a conflict with <quote>Atlantic Daylight Time</> doesn't seem
882
Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST
883
(Fiji); we didn't even have them on the proper side of the date line.
889
Update time zone data files to <application>tzdata</> release 2015a.
893
The IANA timezone database has adopted abbreviations of the form
894
<literal>A<replaceable>x</>ST</literal>/<literal>A<replaceable>x</>DT</literal>
895
for all Australian time zones, reflecting what they believe to be
896
current majority practice Down Under. These names do not conflict
897
with usage elsewhere (other than ACST for Acre Summer Time, which has
898
been in disuse since 1994). Accordingly, adopt these names into
899
our <quote>Default</> timezone abbreviation set.
900
The <quote>Australia</> abbreviation set now contains only CST, EAST,
901
EST, SAST, SAT, and WST, all of which are thought to be mostly
902
historical usage. Note that SAST has also been changed to be South
903
Africa Standard Time in the <quote>Default</> abbreviation set.
907
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT
908
(Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were
909
DST law changes in Chile, Mexico, the Turks & Caicos Islands
910
(America/Grand_Turk), and Fiji. There is a new zone
911
Pacific/Bougainville for portions of Papua New Guinea. Also, numerous
912
corrections for historical (pre-1970) time zone data.
4
921
<sect1 id="release-9-2-9">
5
922
<title>Release 9.2.9</title>