E.41. Release 10.9
Release date: 2019-06-20
This release contains a variety of fixes from 10.8. For information about new features in major release 10, see Section E.50.
E.41.1. Migration to Version 10.9
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.6, see Section E.44.
E.41.2. Changes
Fix buffer-overflow hazards in SCRAM verifier parsing (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could suffice for executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue server to crash a client or perhaps execute arbitrary code as the client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2019-10164)
Fix failure of
ALTER TABLE ... ALTER COLUMN TYPE
when the table has a partial exclusion constraint (Tom Lane)Fix failure of
COMMENT
command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)Prevent possible memory clobber when there are duplicate columns in a hash aggregate's hash key list (Andrew Gierth)
Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to “could not find pathkey item to sort” errors.
Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
Fix conversion of JSON string literals to JSON-type output columns in
json_to_record()
andjson_populate_record()
(Tom Lane)Such cases should produce the literal as a standalone JSON value, but the code misbehaved if the literal contained any characters requiring escaping.
Fix misoptimization of
{1,1}
quantifiers in regular expressions (Tom Lane)Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant
{1,1}?
, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.Avoid possible failures while initializing a new process's
pg_stat_activity
data (Tom Lane)Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared
pg_stat_activity
data.Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
Fix unsafe coding in walreceiver's signal handler (Tom Lane)
This avoids rare problems in which the walreceiver process would crash or deadlock when commanded to shut down.
Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like “cannot read pg_class without having selected a database”.
Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the
/etc/localtime
symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if/etc/localtime
is not a symlink to a zone data file, nor if the time zone is determined from theTZ
environment variable.Separately, prefer
UTC
over other spellings of that time zone, when neitherTZ
nor/etc/localtime
provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make theUCT
andUTC
zone names equivalent: initdb was then preferringUCT
, which almost nobody wants.Fix ordering of
GRANT
commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)If cascading grants had been issued, restore might fail due to the
GRANT
commands being given in an order that didn't respect their interdependencies.Make pg_dump recreate table partitions using
CREATE TABLE
thenATTACH PARTITION
, rather than includingPARTITION OF
in the creation command (Álvaro Herrera, David Rowley)This avoids problems with the partition's column order possibly being changed to match the parent's. Also, a partition is now restorable from the dump (as a standalone table) even if its parent table isn't restored; the
ATTACH
will fail, but that can just be ignored.Fix misleading error reports from reindexdb (Julien Rouhaud)
Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
Fix
contrib/auto_explain
to not cause problems in parallel queries (Tom Lane)Previously, a parallel worker might try to log its query even if the parent query were not being logged by
auto_explain
. This would work sometimes, but it's confusing, and in some cases it resulted in failures like “could not find key N in shm TOC”.Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
In
contrib/postgres_fdw
, account for possible data modifications by localBEFORE ROW UPDATE
triggers (Shohei Mochizuki)If a trigger modified a column that was otherwise not changed by the
UPDATE
, the new value was not transmitted to the remote server.On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
Make PL/pgSQL's header files C++-safe (George Tarasov)