E.39. Release 11.16
Release date: 2022-05-12
This release contains a variety of fixes from 11.15. For information about new features in major release 11, see Section E.55.
E.39.1. Migration to Version 11.16
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Section E.41.
E.39.2. Changes
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum,
CLUSTER
,CREATE INDEX
,REINDEX
,REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as
tbl.*
in contexts other than the top level of aSELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to theFROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-
SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of typerecord
to begin with and there's no issue.Fix incorrect output for types
timestamptz
andtimetz
intable_to_xmlschema()
and allied functions (Renan Soares Lopes)The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a
VALUES
clause with zero columns (Tom Lane)Fix planner errors for
GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix
ALTER FUNCTION
to support changing a function's parallelism property and itsSET
-variable list in the same command (Tom Lane)The parallelism property change was lost if the same command also updated the function's
SET
clause.Fix mis-sorting of table rows when
CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for
DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.Fix race condition between
DROP TABLESPACE
and checkpointing (Nathan Bossart)The checkpoint forced by
DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.Fix possible trouble in crash recovery after a
TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Ensure that logical replication apply workers can be restarted even when we're up against the
max_sync_workers_per_subscription
limit (Amit Kapila)Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)
v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: “table XYZ not found on publisher”. Arrange to deliver a more on-point message.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions
rw-r-----
or less. This is helpful for system-wide management of key files.Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that
contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In
contrib/pageinspect
, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)These changes make it less likely that the module will crash on bad data.
In
contrib/postgres_fdw
, verify thatORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include aUSING
clause if necessary (Ronan Dunklau)This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's
-fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.