E.40. Release 10.18
Release date: 2021-08-12
This release contains a variety of fixes from 10.17. For information about new features in major release 10, see Section E.58.
E.40.1. Migration to Version 10.18
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.16, see Section E.42.
E.40.2. Changes
- Disallow SSL renegotiation more completely (Michael Paquier) - SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer. 
- Reject - SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE(Tom Lane)- This should be disallowed, just as - FOR UPDATEwith a plain- GROUP BYis disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
- Reject cases where a query in - WITHrewrites to just- NOTIFY(Tom Lane)- Such cases previously crashed. 
- In - numericmultiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
- Fix corner-case errors and loss of precision when raising - numericvalues to very large powers (Dean Rasheed)
- Fix division-by-zero failure in - to_char()with- EEEEformat and a- numericinput value less than 10^(-1001) (Dean Rasheed)
- Fix - pg_size_pretty(bigint)to round negative values consistently with the way it rounds positive ones (and consistently with the- numericversion) (Dean Rasheed, David Rowley)
- Make - pg_filenode_relation(0, 0)return NULL rather than failing (Justin Pryzby)
- Make - ALTER EXTENSIONlock the extension when adding or removing a member object (Tom Lane)- The previous coding allowed - ALTER EXTENSION ADD/DROPto occur concurrently with- DROP EXTENSION, leading to a crash or corrupt catalog entries.
- Fix - ALTER SUBSCRIPTIONto reject an empty slot name (Japin Li)
- Avoid alias conflicts in queries generated for - REFRESH MATERIALIZED VIEW CONCURRENTLY(Tom Lane, Bharath Rupireddy)- This command failed on materialized views containing columns with certain names, notably - mvand- newdata.
- Fix - PREPARE TRANSACTIONto check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)- A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during - PREPARE TRANSACTION.
- Fix misbehavior of - DROP OWNED BYwhen the target role is listed more than once in an RLS policy (Tom Lane)
- Skip unnecessary error tests when removing a role from an RLS policy during - DROP OWNED BY(Tom Lane)- Notably, this fixes some cases where it was necessary to be a superuser to use - DROP OWNED BY.
- Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov) - This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it. 
- Avoid corrupting the plan cache entry when - CREATE DOMAINor- ALTER DOMAINappears in a cached plan (Tom Lane)
- Make walsenders show their latest replication commands in - pg_stat_activity(Tom Lane)- Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands. 
- Make - pg_settings.- pending_restartshow as true when the pertinent entry in- postgresql.confhas been removed (Álvaro Herrera)- pending_restartcorrectly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
- Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas) - Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline. 
- Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao) - File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked. 
- In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy) 
- Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty) 
- Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas) 
- Improve checks for violations of replication protocol (Tom Lane) - Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks. 
- Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar) 
- Fix plan cache reference leaks in some error cases in - CREATE TABLE ... AS EXECUTE(Tom Lane)
- Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane) - It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems. 
- Fix latent crash in sorting code (Ronan Dunklau) - One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions. 
- Prevent infinite loops in SP-GiST index insertion (Tom Lane) - In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes. 
- Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera) 
- Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an - INTOclause specified- STRICT, even though it didn't (Tom Lane)
- Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane) 
- In ecpg, allow the - numericvalue INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
- In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane) - An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences. 
- Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane) 
- Make pg_upgrade carry forward the old installation's - oldestXIDvalue (Bertrand Drouvot)- Previously, the new installation's - oldestXIDwas set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of- autovacuum_freeze_max_agecould suffer unwanted forced shutdowns soon after an upgrade.
- Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian) - A script file is now produced containing the - ALTER EXTENSION UPDATEcommands needed to bring extensions up to the versions that are considered default in the new installation.
- Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier) 
- In - contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)- While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column. 
- Improve the isolation-test infrastructure (Tom Lane, Michael Paquier) - Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself. 
- Reduce overhead of cache-clobber testing (Tom Lane) 
- Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak) 
- Make - printf("%s", NULL)print- (null)instead of crashing (Tom Lane)- This should improve server robustness in corner cases, and it syncs our - printfimplementation with common libraries.
- Fix incorrect log message when point-in-time recovery stops at a - ROLLBACK PREPAREDrecord (Simon Riggs)
- Clarify error messages referring to “non-negative” values (Bharath Rupireddy) 
- Fix configure to work with OpenLDAP 2.5, which no longer has a separate - libldap_rlibrary (Adrian Ho, Tom Lane)- If there is no - libldap_rlibrary, we now silently assume that- libldapis thread-safe.
- Add new make targets - world-binand- install-world-bin(Andrew Dunstan)- These are the same as - worldand- install-worldrespectively, except that they do not build or install the documentation.
- Fix make rule for TAP tests ( - prove_installcheck) to work in PGXS usage (Andrew Dunstan)
- Allow PostgreSQL version 10 to build with ICU 69 and newer (Peter Eisentraut) 
- Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane) - The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints. 
- Enable building with GSSAPI on MSVC (Michael Paquier) - Fix various incompatibilities with modern Kerberos builds. 
- In MSVC builds, include - --with-pgportin the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)