E.11. Release 16.4 #
Release date: 2024-08-08
This release contains a variety of fixes from 16.3. For information about new features in major release 16, see Section E.15.
E.11.1. Migration to Version 16.4 #
A dump/restore is not required for those running 16.X.
However, if you are upgrading from a version earlier than 16.3, see Section E.12.
E.11.2. Changes #
Prevent unauthorized code execution during pg_dump (Masahiko Sawada) §
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter
restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.The PostgreSQL Project thanks Noah Misch for reporting this problem. (CVE-2024-7348)
Avoid incorrect results from Merge Right Anti Join plans (Richard Guo) §
If the inner relation is known to have unique join keys, the merge could misbehave when there are duplicated join keys in the outer relation.
Prevent infinite loop in
VACUUM
(Melanie Plageman) §After a disconnected standby server with an old running transaction reconnected to the primary, it was possible for
VACUUM
on the primary to get confused about which tuples are removable, resulting in an infinite loop.Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Álvaro Herrera) §
Fix
ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Álvaro Herrera, Tender Wang) § §When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect
coninhcount
value. This would cause trouble during any further manipulations of that constraint.Fix partition pruning setup during
ALTER TABLE DETACH PARTITION CONCURRENTLY
(Álvaro Herrera) § §The executor assumed that no partition could be detached between planning and execution of a query on a partitioned table. This is no longer true since the introduction of
DETACH PARTITION
'sCONCURRENTLY
option, making it possible for query execution to fail transiently when that is used.Correctly update a partitioned table's
pg_class
.reltuples
field to zero after its last child partition is dropped (Noah Misch) §The first
ANALYZE
on such a partitioned table must updaterelhassubclass
as well, and that caused thereltuples
update to be lost.Fix handling of polymorphic output arguments for procedures (Tom Lane) § §
The SQL
CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelement”, or even outright crashes. (ButCALL
in PL/pgSQL worked correctly.)Fix behavior of stable functions called from a
CALL
statement's argument list (Tom Lane) §If the
CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.Fix input of ISO-8601 “extended” time format for types
time
andtimetz
(Tom Lane) §Re-allow cases such as
T12:34:56
.Detect integer overflow in
money
calculations (Joseph Koshakow) §None of the arithmetic functions for the
money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.Fix over-aggressive clamping of the scale argument in
round(numeric)
andtrunc(numeric)
(Dean Rasheed) §These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type
numeric
.Fix result for
pg_size_pretty()
when applied to the smallest possiblebigint
value (Joseph Koshakow) §Prevent
pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart) §Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in
websearch_to_tsquery()
(Tom Lane) §Per the manual, punctuation in the input of
websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before anor
could causeor
to be treated as a data word, rather than as anOR
operator as expected.Detect another integer overflow case while computing new array dimensions (Joseph Koshakow) §
Reject applying array dimensions
[-2147483648:2147483647]
to an empty array. This is closely related to CVE-2023-5869, but appears harmless since the array still ends up empty.Fix unportable usage of
strnxfrm()
(Jeff Davis) §Some code paths for non-deterministic collations could fail with errors like “pg_strnxfrm() returned unexpected result”.
Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch) §
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the
pg_database
catalog, so the effects are narrow, but misbehavior is possible.Correctly check updatability of view columns targeted by
INSERT
...DEFAULT
(Tom Lane) §If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number
N
not found in view targetlist”.Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane) §
Rearrange the order of error checks so that we throw an on-point error when a
WITH RECURSIVE
query does not have a self-reference within the second arm of theUNION
, but does have one self-reference in some other place such asORDER BY
.Lock owned sequences during
ALTER TABLE SET LOGGED|UNLOGGED
(Noah Misch) §These commands change the persistence of a table's owned sequences along with the table, but they failed to acquire lock on the sequences while doing so. This could result in losing the effects of concurrent
nextval()
calls.Don't throw an error if a queued
AFTER
trigger no longer exists (Tom Lane) §It's possible for a transaction to execute an operation that queues a deferred
AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find triggerNNNN
”. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.Fix failure to remove
pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane) §If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for
ON CONFLICT
when the desired index has expressions or predicates (Tom Lane) §If a query using
ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specification”, even though a matching index does exist.Refuse to modify a temporary table of another session with
ALTER TABLE
(Tom Lane) §Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix handling of extended statistics on expressions in
CREATE TABLE LIKE STATISTICS
(Tom Lane) §The
CREATE
command failed to adjust column references in statistics expressions to the possibly-different column numbering of the new table. This resulted in invalid statistics objects that would cause problems later. A typical scenario where renumbering columns is needed is when the source table contains some dropped columns.Fix failure to recalculate sub-queries generated from
MIN()
orMAX()
aggregates (Tom Lane) §In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses
DISTINCT
that is implemented with hash aggregation, but other cases may exist.Re-forbid underscore in positional parameters (Erik Wienhold) §
As of v16 we allow integer literals to contain underscores. This change caused input such as
$1_234
to be taken as a single token, but it did not work correctly. It seems better to revert to the original definition in which a parameter symbol is only$
followed by digits.Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane) §
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane) §
Notably, we now suppress “chunk is not well balanced” errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas) §
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada) §
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid “can only drop stats once” error during replication slot creation and drop (Floris Van Nee) §
Fix resource leakage in logical replication WAL sender (Hou Zhijie) §
The walsender process leaked memory when publishing changes to a partitioned table whose partitions have row types physically different from the partitioned table's.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane) §
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Prevent leakage of reference counts for the shared memory block used for statistics (Anthonin Bonnefoy) §
A new backend process attaching to the statistics shared memory incremented its reference count, but failed to decrement the count when exiting. After 232 sessions had been created, the reference count would overflow to zero, causing failures in all subsequent backend process starts.
Prevent deadlocks and assertion failures during truncation of the multixact SLRU log (Heikki Linnakangas) §
A process trying to delete SLRU segments could deadlock with the checkpointer process.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro) §
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion) §
It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson) § § §
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expression”, check it's still simple (Tom Lane) §
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node type”.
Fix PL/pgSQL's handling of integer ranges containing underscores (Erik Wienhold) §
As of v16 we allow integer literals to contain underscores, but PL/pgSQL failed to handle examples such as
FOR i IN 1_001..1_003
.Fix recursive
RECORD
-returning PL/Python functions (Tom Lane) §If we recurse to a new call of the same function that passes a different column definition list (
AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.Don't corrupt PL/Python's
TD
dictionary during a recursive trigger call (Tom Lane) §If a PL/Python-language trigger caused another one to be invoked, the
TD
dictionary created for the inner one would overwrite the outer one'sTD
dictionary.Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane) §
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of
strerror()
in libpq (Peter Eisentraut) §Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Avoid memory leak within pg_dump during a binary upgrade (Daniel Gustafsson) §
Ensure that
pg_restore
-l
reports dependent TOC entries correctly (Tom Lane) §If
-l
was specified together with selective-restore options such as-n
or-N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.Allow
contrib/pg_stat_statements
to distinguish among utility statements appearing within SQL-language functions (Anthonin Bonnefoy) §The SQL-language function executor failed to pass along the query ID that is computed for a utility (non
SELECT
/INSERT
/UPDATE
/DELETE
/MERGE
) statement.Avoid “cursor can only scan forward” error in
contrib/postgres_fdw
(Etsuro Fujita) §This error could occur if the remote server is v15 or later and a foreign table is mapped to a non-trivial remote view.
In
contrib/postgres_fdw
, do not sendFETCH FIRST WITH TIES
clauses to the remote server (Japin Li) §The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.
Avoid clashing with system-provided
<regex.h>
headers (Thomas Munro) §This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failure in Memoize cost estimation (David Rowley) §
Fix otherwise-harmless assertion failures in
REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane) §