E.17. Release 9.5.4
Release date: 2016-08-11
This release contains a variety of fixes from 9.5.3. For information about new features in the 9.5 major release, see Section E.21.
E.17.1. Migration to Version 9.5.4
A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.2, see Section E.19.
Fix possible mis-evaluation of nested
WHENexpressions (Heikki Linnakangas, Michael Paquier, Tom Lane)
CASEexpression appearing within the test value subexpression of another
CASEcould become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a
CASEexpression could result in passing the wrong test value to functions called within a
CASEexpression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423)
Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes in psql's
\passwordcommands to match the documentation.
Introduce a new
-reuse-previousoption in psql's
\connectcommand to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.
pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424)
Fix corner-case misbehaviors for
IS NOT NULLapplied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that
IS NULLshould return TRUE for a row of all null values (thus
ROW(NULL,NULL) IS NULLyields TRUE), but this is not meant to apply recursively (thus
ROW(NULL, ROW(NULL,NULL)) IS NULLyields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and
contrib/postgres_fdwcould produce remote queries that misbehaved similarly.
Fix “unrecognized node type” error for
INSERT ... ON CONFLICTwithin a recursive CTE (a
WITHitem) (Peter Geoghegan)
INSERT ... ON CONFLICTto successfully match index expressions or index predicates that are simplified during the planner's expression preprocessing phase (Tom Lane)
Correctly handle violations of exclusion constraints that apply to the target table of an
INSERT ... ON CONFLICTcommand, but are not one of the selected arbiter indexes (Tom Lane)
Such a case should raise a normal constraint-violation error, but it got into an infinite loop instead.
INSERT ... ON CONFLICTto not fail if the target table has a unique index on OID (Tom Lane)
cidrdata types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)
Prevent crash in
lsegoperator) for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
Avoid possible crash in
pg_get_expr()when inconsistent values are passed to it (Michael Paquier, Thomas Munro)
Fix several one-byte buffer over-reads in
In several cases the
to_number()function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory.
Do not run the planner on the query contained in
CREATE MATERIALIZED VIEWor
CREATE TABLE ASwhen
WITH NO DATAis specified (Michael Paquier, Tom Lane)
This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet.
Avoid unsafe intermediate state during expensive paths through
heap_update()(Masahiko Sawada, Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.
Fix hint bit update during WAL replay of row locking operations (Andres Freund)
The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart.
Avoid unnecessary “could not serialize access” errors when acquiring
FOR KEY SHARErow locks in serializable mode (Álvaro Herrera)
Make sure “expanded” datums returned by a plan node are read-only (Tom Lane)
This avoids failures in some cases where the result of a lower plan node is referenced in multiple places in upper nodes. So far as core PostgreSQL is concerned, only array values returned by PL/pgSQL functions are at risk; but extensions might use expanded datums for other things.
Avoid crash in
postgres -Cwhen the specified variable has a null string value (Michael Paquier)
Prevent unintended waits for the receiver in WAL sender processes (Kyotaro Horiguchi)
Fix possible loss of large subtransactions in logical decoding (Petru-Florin Mihancea)
Fix failure of logical decoding when a subtransaction contains no actual changes (Marko Tiikkaja, Andrew Gierth)
Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane)
The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled.
Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra)
Avoid consuming a transaction ID during
Some cases in
VACUUMunnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.
Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Álvaro Herrera)
The usual symptom of this bug is errors like “MultiXactId
NNNhas not been created yet -- apparent wraparound”.
When a manual
ANALYZEspecifies a column list, don't reset the table's
changes_since_analyzecounter (Tom Lane)
If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.
ANALYZE's overestimation of
n_distinctfor a unique or nearly-unique column with many null entries (Tom Lane)
The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.
Prevent autovacuum from starting multiple workers for the same shared catalog (Álvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.
Fix bug in b-tree mark/restore processing (Kevin Grittner)
This error could lead to incorrect join results or assertion failures in a merge join whose inner source node is a b-tree indexscan.
Avoid duplicate buffer lock release when abandoning a b-tree index page deletion attempt (Tom Lane)
This mistake prevented
VACUUMfrom completing in some cases involving corrupt b-tree indexes.
Fix building of large (bigger than
shared_buffers) hash indexes (Tom Lane)
The code path used for large indexes contained a bug causing incorrect hash values to be inserted into the index, so that subsequent index searches always failed, except for tuples inserted into the index after the initial build.
Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)
Fix possible crash during a nearest-neighbor (
ORDER BYdistance) indexscan on a
contrib/btree_gistindex on an
intervalcolumn (Peter Geoghegan)
Fix “PANIC: failed to add BRIN tuple” error when attempting to update a BRIN index entry (Álvaro Herrera)
Fix possible crash during background worker shutdown (Dmitry Ivanov)
Fix PL/pgSQL's handling of the
IMPORT FOREIGN SCHEMAcommands (Tom Lane)
contrib/btree_ginto handle the smallest possible
bigintvalue correctly (Peter Eisentraut)
Teach libpq to correctly decode server version from future servers (Peter Eisentraut)
It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that
PQserverVersion()returns the correct value for such cases.
Fix ecpg's code for
unsigned long longarray elements (Michael Meskes)
In pg_dump with both
-Coptions, avoid emitting an unwanted
CREATE SCHEMA publiccommand (David Johnston, Tom Lane)
Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane)
Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a
Fix error reporting in parallel pg_dump and pg_restore (Tom Lane)
Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to
stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message.
Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi)
Previously, it would report the error, but then just sit until manually stopped by the user.
Make parallel pg_dump fail cleanly when run against a standby server (Magnus Hagander)
This usage is not supported unless
--no-synchronized-snapshotsis specified, but the error was not handled very well.
Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi)
It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases.
Make pg_basebackup accept
-Z 0as specifying no compression (Fujii Masao)
Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)
Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)
Be more predictable about reporting “statement timeout” versus “lock timeout” (Tom Lane)
On heavily loaded machines, the regression tests sometimes failed due to reporting “lock timeout” even though the statement timeout should have occurred first.
Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)
Change some test data that triggered the unusual sorting rules of these locales.
Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.
Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.