E.28. Release 9.5.17
Release date: 2019-05-09
This release contains a variety of fixes from 9.5.16. For information about new features in the 9.5 major release, see Section E.45.
E.28.1. Migration to Version 9.5.17
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.13, see Section E.32.
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in
pg_statistic(e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130)
Fix behavior for an
DELETEon an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a
RETURNINGclause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
Fix handling of explicit
DEFAULTitems in an
INSERT ... VALUEScommand with multiple
VALUESrows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row
INSERT ... VALUESwill use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
CREATE VIEWto allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
Add missing support for
CREATE TABLE IF NOT EXISTS ... AS EXECUTE ...(Andreas Karlsson)
The combination of
IF NOT EXISTSand
EXECUTEshould work, but the grammar omitted it.
Ensure that sub-
SELECTs appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
Accept XML documents as valid values of type
xmloptionis set to
content, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of
xmloptionthat will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit
SET xmloption = contentwhile restoring data, ensuring that dump/restore works even if the prevailing setting is
Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the
postmaster.pidfile has been removed.
Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
ENOSYSerror results, where appropriate, for
sync_file_rangecalls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means “operation not supported”.
Fix “failed to build any
N-way joins” planner failures with lateral references leading out of
FULLouter joins (Tom Lane)
Check the appropriate user's permissions when enforcing rules about letting a leaky operator see
pg_statisticdata (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
Avoid O(N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to “dsa_area could not attach to segment” or “cannot unpin a segment that is not pinned” errors.
Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
Fix possible crash when
pg_identify_object_as_address()is given invalid input (Álvaro Herrera)
Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
Fix handling of
lc_timesettings that imply an encoding different from the database's encoding (Juan José Santamaría Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
operator_precedence_warningchecks involving unary minus operators (Rikard Falkeborn)
NaNas a value for floating-point server parameters (Tom Lane)
REINDEXprocessing to avoid assertion failures when reindexing individual indexes of
pg_class(Andres Freund, Tom Lane)
Fix planner assertion failure for parameterized dummy paths (Tom Lane)
Insert correct test function in the result of
No core code cares about this, but some extensions do.
Fix intermittent “could not reattach to shared memory” session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of
SET) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a
DROP DOMAINcommand that listed multiple type names, only the first type name was actually processed.
Sync ecpg's syntax for
CREATE TABLE ASwith the server's (Daisuke Higuchi)
Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
Avoid crash in
lo_unlink()call failed (Tom Lane)
Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the
Africa/Casablancazone, and adds support for zic's new
Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCTis now a backward-compatibility link to
Etc/UTC, instead of being a separate zone that generates the abbreviation
UCT, which nowadays is typically a typo. PostgreSQL will still accept
UCTas an input zone abbreviation, but it won't output it.