E.27. Release 14.1

Release date: 2021-11-11

This release contains a variety of fixes from 14.0. For information about new features in major release 14, see Section E.28.

E.27.1. Migration to Version 14.1

A dump/restore is not required for those running 14.X.

However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.

Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.

E.27.2. Changes

  • Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

    A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

    The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)

  • Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

    A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

    The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)

  • Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)

    If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.

    When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.

  • Ensure that parallel VACUUM doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)

    A parallel VACUUM would fail to process indexes that are below the min_parallel_index_scan_size cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.

  • Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)

    Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.

  • Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)

    While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.

  • Fix REINDEX CONCURRENTLY to preserve operator class parameters that were attached to the target index (Michael Paquier)

  • Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)

    The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1.

  • Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)

    This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.

  • Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)

    CREATE TYPE incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE command was stored in the plan cache and used again later.

  • Fix updates of element fields in arrays of domain over composite (Tom Lane)

    A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.

  • Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED (David Christensen)

    FETCH FIRST WITH TIES necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.

  • Disallow ALTER INDEX index ALTER COLUMN col SET (options) (Nathan Bossart, Michael Paquier)

    While the parser accepted this, it's undocumented and doesn't actually work.

  • Fix corner-case loss of precision in numeric power() (Dean Rasheed)

    The result could be inaccurate when the first argument is very close to 1.

  • Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)

    This error could result in crashes or incorrect query results.

  • Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)

    If a function in FROM laterally references the output of some sub-SELECT earlier in the FROM clause, and we are able to flatten that sub-SELECT into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.

  • Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)

    There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.

  • Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)

    If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.

  • Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)

    This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.

  • Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)

    This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.

  • Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)

    There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.

  • Fix could not find RecursiveUnion error when EXPLAIN tries to print a filter condition attached to a WorkTableScan node (Tom Lane)

  • Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)

    For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.

  • Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)

  • Prevent snapshot reference leak warning when lo_export() or a related function fails (Heikki Linnakangas)

  • Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)

  • Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)

    These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.

  • Add more defensive checks around B-tree posting list splits (Peter Geoghegan)

    This change should help detect index corruption involving duplicate table TIDs.

  • Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)

    In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.

  • Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts() requests more quickly (Koyu Tanigawa)

  • Fix memory leak in HMAC hash calculations (Sergey Shinderuk)

  • Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro)

    Previously, this setting was accepted, but it did nothing for lack of any implementation.

  • Fix checking of query type in PL/pgSQL's RETURN QUERY statement (Tom Lane)

    RETURN QUERY should accept any query that can return tuples, e.g. UPDATE RETURNING. v14 accidentally disallowed anything but SELECT; moreover, the RETURN QUERY EXECUTE variant failed to apply any query-type check at all.

  • Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)

    If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.

  • Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)

    This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.

  • Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)

  • Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)

  • Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)

    The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.

  • Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)

    This avoids unhelpful checks of relations that will almost certainly appear inconsistent.

  • Make contrib/amcheck skip unlogged tables when running on a standby server (Mark Dilger)

    It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.

  • Change contrib/pg_stat_statements to read its query texts file in units of at most 1GB (Tom Lane)

    Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).

  • Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)

  • Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)

  • When running a TAP test, include the module's own directory in PATH (Andrew Dunstan)

    This allows tests to find built programs that are not installed, such as custom test drivers.

  • Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)

    When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.

  • Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

    Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.