[8.3.1] 1. Fix character string comparison for Windows locales that consider different character combinations as equal (Tom) This fix applies only on Windows and only when using UTF-8 database encoding. The same fix was made for all other cases over two years ago, but Windows with UTF-8 uses a separate code path that was not updated. If you are using a locale that considers some non-identical strings as equal, you may need to REINDEX to fix existing indexes on textual columns. 2. Repair corner-case bugs in VACUUM FULL (Tom) A potential deadlock between concurrent VACUUM FULL operations on different system catalogs was introduced in 8.2. This has now been corrected. 8.3 made this worse because the deadlock could occur within a critical code section, making it a PANIC rather than just ERROR condition. Also, a VACUUM FULL that failed partway through vacuuming a system catalog could result in cache corruption in concurrent database sessions. Another VACUUM FULL bug introduced in 8.3 could result in a crash or out-of-memory report when dealing with pages containing no live tuples. 3. Fix misbehavior of foreign key checks involving character or bit columns (Tom) If the referencing column were of a different but compatible type (for instance varchar), the constraint was enforced incorrectly. 4. Avoid needless deadlock failures in no-op foreign-key checks (Stephan Szabo, Tom) 5. Fix possible core dump when re-planning a prepared query (Tom) This bug affected only protocol-level prepare operations, not SQL PREPARE, and so tended to be seen only with JDBC, DBI, and other client-side drivers that use prepared statements heavily. 6. Fix possible failure when re-planning a query that calls an SPI-using function (Tom) 7. Fix failure in row-wise comparisons involving columns of different datatypes (Tom) 8. Fix longstanding LISTEN/NOTIFY race condition (Tom) In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later. A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior. 9. Disallow LISTEN and UNLISTEN within a prepared transaction (Tom) This was formerly allowed but trying to do it had various unpleasant consequences, notably that the originating backend could not exit as long as an UNLISTEN remained uncommitted. 10. Disallow dropping a temporary table within a prepared transaction (Heikki) This was correctly disallowed by 8.1, but the check was inadvertently broken in 8.2 and 8.3. 11. Fix rare crash when an error occurs during a query using a hash index (Heikki) 12. Fix incorrect comparison of tsquery values (Teodor) 13. Fix incorrect behavior of LIKE with non-ASCII characters in single-byte encodings (Rolf Jentsch) 14. Disable xmlvalidate (Tom) This function should have been removed before 8.3 release, but was inadvertently left in the source code. It poses a small security risk since unprivileged users could use it to read the first few characters of any file accessible to the server. 15. Fix memory leaks in certain usages of set-returning functions (Neil) 16. Make encode(bytea, 'escape') convert all high-bit-set byte values into \nnn octal escape sequences (Tom) This is necessary to avoid encoding problems when the database encoding is multi-byte. This change could pose compatibility issues for applications that are expecting specific results from encode. 17. Fix input of datetime values for February 29 in years BC (Tom) The former coding was mistaken about which years were leap years. 18. Fix "unrecognized node type" error in some variants of ALTER OWNER (Tom) 19. Avoid tablespace permissions errors in CREATE TABLE LIKE INCLUDING INDEXES (Tom) 20. Ensure pg_stat_activity.waiting flag is cleared when a lock wait is aborted (Tom) 21. Fix ecpg problems with arrays (Michael) 22. Fix pg_ctl to correctly extract the postmaster's port number from command-line options (Itagaki Takahiro, Tom) Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure. [8.3.2] 1. Fix ERRORDATA_STACK_SIZE exceeded crash that occurred on Windows when using UTF-8 database encoding and a different client encoding (Tom) 2. Fix incorrect archive truncation point calculation for the %r macro in recovery_command parameters (Simon) This could lead to data loss if a warm-standby script relied on %r to decide when to throw away WAL segment files. 3. Fix ALTER TABLE ADD COLUMN ... PRIMARY KEY so that the new column is correctly checked to see if it's been initialized to all non-nulls (Brendan Jurd) Previous versions neglected to check this requirement at all. 4. Fix REASSIGN OWNED so that it works on procedural languages too (Alvaro) 5. Fix problems with SELECT FOR UPDATE/SHARE occurring as a subquery in a query with a non-SELECT top-level operation (Tom) 6. Fix possible CREATE TABLE failure when inheriting the "same" constraint from multiple parent relations that inherited that constraint from a common ancestor (Tom) 7. Fix pg_get_ruledef() to show the alias, if any, attached to the target table of an UPDATE or DELETE (Tom) 8. Restore the pre-8.3 behavior that an out-of-range block number in a TID being used in a TidScan plan results in silently not matching any rows (Tom) 8.3.0 and 8.3.1 threw an error instead. 9. Fix GIN bug that could result in a too many LWLocks taken failure (Teodor) 10. Fix broken GiST comparison function for tsquery (Teodor) 11. Fix tsvector_update_trigger() and ts_stat() to accept domains over the types they expect to work with (Tom) 12. Fix failure to support enum data types as foreign keys (Tom) 13. Avoid possible crash when decompressing corrupted data (Zdenek Kotala) 14. Fix race conditions between delayed unlinks and DROP DATABASE (Heikki) In the worst case this could result in deleting a newly created table in a new database that happened to get the same OID as the recently-dropped one; but of course that is an extremely low-probability scenario. 15. Repair two places where SIGTERM exit of a backend could leave corrupted state in shared memory (Tom) Neither case is very important if SIGTERM is used to shut down the whole database cluster together, but there was a problem if someone tried to SIGTERM individual backends. 16. Fix possible crash due to incorrect plan generated for an x IN (SELECT y FROM ...) clause when x and y have different data types; and make sure the behavior is semantically correct when the conversion from y's type to x's type is lossy (Tom) 17. Fix oversight that prevented the planner from substituting known Param values as if they were constants (Tom) This mistake partially disabled optimization of unnamed extended-Query statements in 8.3.0 and 8.3.1: in particular the LIKE-to-indexscan optimization would never be applied if the LIKE pattern was passed as a parameter, and constraint exclusion depending on a parameter value didn't work either. 18. Fix planner failure when an indexable MIN or MAX aggregate is used with DISTINCT or ORDER BY (Tom) 19. Fix planner to ensure it never uses a "physical tlist" for a plan node that is feeding a Sort node (Tom) This led to the sort having to push around more data than it really needed to, since unused column values were included in the sorted data. 20. Avoid unnecessary copying of query strings (Tom) This fixes a performance problem introduced in 8.3.0 when a very large number of commands are submitted as a single query string. 21. Make TransactionIdIsCurrentTransactionId() use binary search instead of linear search when checking child-transaction XIDs (Heikki) This fixes some cases in which 8.3.0 was significantly slower than earlier releases. 22. Fix conversions between ISO-8859-5 and other encodings to handle Cyrillic "Yo" characters (e and E with two dots) (Sergey Burladyan) 23. Fix several datatype input functions, notably array_in(), that were allowing unused bytes in their results to contain uninitialized, unpredictable values (Tom) This could lead to failures in which two apparently identical literal values were not seen as equal, resulting in the parser complaining about unmatched ORDER BY and DISTINCT expressions. 24. Fix a corner case in regular-expression substring matching (substring(string from pattern)) (Tom) The problem occurs when there is a match to the pattern overall but the user has specified a parenthesized subexpression and that subexpression hasn't got a match. An example is substring('foo' from 'foo(bar)?'). This should return NULL, since (bar) isn't matched, but it was mistakenly returning the whole-pattern match instead (ie, foo). 25. Prevent cancellation of an auto-vacuum that was launched to prevent XID wraparound (Alvaro) 26. Improve ANALYZE's handling of in-doubt tuples (those inserted or deleted by a not-yet-committed transaction) so that the counts it reports to the stats collector are more likely to be correct (Pavan Deolasee) 27. Fix initdb to reject a relative path for its --xlogdir (-X) option (Tom) 28. Make psql print tab characters as an appropriate number of spaces, rather than \x09 as was done in 8.3.0 and 8.3.1 (Bruce) 29. Fix incorrect result from ecpg's PGTYPEStimestamp_sub() function (Michael) 30. Fix handling of continuation line markers in ecpg (Michael) 31. Fix possible crashes in contrib/cube functions (Tom) 32. Fix core dump in contrib/xml2's xpath_table() function when the input query returns a NULL value (Tom) 33. Fix contrib/xml2's makefile to not override CFLAGS, and make it auto-configure properly for libxslt present or not (Tom) [8.3.3] 1. Make pg_get_ruledef() parenthesize negative constants (Tom) Before this fix, a negative constant in a view or rule might be dumped as, say, -42::integer, which is subtly incorrect: it should be (-42)::integer due to operator precedence rules. Usually this would make little difference, but it could interact with another recent patch to cause PostgreSQL to reject what had been a valid SELECT DISTINCT view query. Since this could result in pg_dump output failing to reload, it is being treated as a high-priority fix. The only released versions in which dump output is actually incorrect are 8.3.1 and 8.2.7. 2. Make ALTER AGGREGATE ... OWNER TO update pg_shdepend (Tom) This oversight could lead to problems if the aggregate was later involved in a DROP OWNED or REASSIGN OWNED operation. [8.3.4] 1. Fix bug in btree WAL recovery code (Heikki) Recovery failed if the WAL ended partway through a page split operation. 2. Fix potential use of wrong cutoff XID for HOT page pruning (Alvaro) This error created a risk of corruption in system catalogs that are consulted by VACUUM: dead tuple versions might be removed too soon. The impact of this on actual database operations would be minimal, since the system doesn't follow MVCC rules while examining catalogs, but it might result in transiently wrong output from pg_dump or other client programs. 3. Fix potential miscalculation of datfrozenxid (Alvaro) This error may explain some recent reports of failure to remove old pg_clog data. 4. Fix incorrect HOT updates after pg_class is reindexed (Tom) Corruption of pg_class could occur if REINDEX TABLE pg_class was followed in the same session by an ALTER TABLE RENAME or ALTER TABLE SET SCHEMA command. 5. Fix missed "combo cid" case (Karl Schnaitter) This error made rows incorrectly invisible to a transaction in which they had been deleted by multiple subtransactions that all aborted. 6. Prevent autovacuum from crashing if the table it's currently checking is deleted at just the wrong time (Alvaro) 7. Widen local lock counters from 32 to 64 bits (Tom) This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected "lock is already held" errors. 8. Fix possible duplicate output of tuples during a GiST index scan (Teodor) 9. Regenerate foreign key checking queries from scratch when either table is modified (Tom) Previously, 8.3 would attempt to replan the query, but would work from previously generated query text. This led to failures if a table or column was renamed. 10. Fix missed permissions checks when a view contains a simple UNION ALL construct (Heikki) Permissions for the referenced tables were checked properly, but not permissions for the view itself. 11. Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom) This situation is believed to be impossible in 8.3, but it can happen in prior releases, so a check seems prudent. 12. Fix possible repeated drops during DROP OWNED (Tom) This would typically result in strange errors such as "cache lookup failed for relation NNN". 13. Fix several memory leaks in XML operations (Kris Jurka, Tom) 14. Fix xmlserialize() to raise error properly for unacceptable target data type (Tom) 15. Fix a couple of places that mis-handled multibyte characters in text search configuration file parsing (Tom) Certain characters occurring in configuration files would always cause "invalid byte sequence for encoding" failures. 16. Fix AT TIME ZONE to first try to interpret its timezone argument as a timezone abbreviation, and only try it as a full timezone name if that fails, rather than the other way around as formerly (Tom) The timestamp input functions have always resolved ambiguous zone names in this order. Making AT TIME ZONE do so as well improves consistency, and fixes a compatibility bug introduced in 8.1: in ambiguous cases we now behave the same as 8.0 and before did, since in the older versions AT TIME ZONE accepted only abbreviations. 17. Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom) 18. Prevent integer overflows during units conversion when displaying a configuration parameter that has units (Tom) 19. Allow spaces in the suffix part of an LDAP URL in pg_hba.conf (Tom) 20. Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom) 21. Fix planner bug that could improperly push down IS NULL tests below an outer join (Tom) This was triggered by occurrence of IS NULL tests for the same relation in all arms of an upper OR clause. 22. Fix planner bug with nested sub-select expressions (Tom) If the outer sub-select has no direct dependency on the parent query, but the inner one does, the outer value might not get recalculated for new parent query rows. 23. Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom) 24. This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL. 25. Fix PL/pgSQL to not fail when a FOR loop's target variable is a record containing composite-type fields (Tom) 26. Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom) 27. On Windows, work around a Microsoft bug by preventing libpq from trying to send more than 64kB per system call (Magnus) 28. Fix ecpg to handle variables properly in SET commands (Michael) 29. Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom) 30. Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce) 31. Fix erroneous WAL file cutoff point calculation in pg_standby (Simon) [8.3.5] 1. Fix GiST index corruption due to marking the wrong index entry "dead" after a deletion (Teodor) This would result in index searches failing to find rows they should have found. Corrupted indexes can be fixed with REINDEX. 2. Fix backend crash when the client encoding cannot represent a localized error message (Tom) We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation. 3. Fix possible crash in bytea-to-XML mapping (Michael McMaster) 4. Fix possible crash when deeply nested functions are invoked from a trigger (Tom) 5. Improve optimization of expression IN (expression-list) queries (Tom, per an idea from Robert Haas) Cases in which there are query variables on the right-hand side had been handled less efficiently in 8.2.x and 8.3.x than in prior versions. The fix restores 8.1 behavior for such cases. 6. Fix mis-expansion of rule queries when a sub-SELECT appears in a function call in FROM, a multi-row VALUES list, or a RETURNING list (Tom) The usual symptom of this problem is an "unrecognized node type" error. 7. Fix Assert failure during rescan of an IS NULL search of a GiST index (Teodor) 8. Fix memory leak during rescan of a hashed aggregation plan (Neil) 9. Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function (Tom) 10. Force a checkpoint before CREATE DATABASE starts to copy files (Heikki) This prevents a possible failure if files had recently been deleted in the source database. 11. Prevent possible collision of relfilenode numbers when moving a table to another tablespace with ALTER SET TABLESPACE (Heikki) The command tried to re-use the existing filename, instead of picking one that is known unused in the destination directory. 12. Fix incorrect text search headline generation when single query item matches first word of text (Sushant Sinha) 13. Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build (Ron Mayer) 14. Make ILIKE compare characters case-insensitively even when they're escaped (Andrew) 15. Ensure DISCARD is handled properly by statement logging (Tom) 16. Fix incorrect logging of last-completed-transaction time during PITR recovery (Tom) 17. Ensure SPI_getvalue and SPI_getbinval behave correctly when the passed tuple and tuple descriptor have different numbers of columns (Tom) This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication. 18. Fix small memory leak when using libpq's gsslib parameter (Magnus) The space used by the parameter string was not freed at connection close. 19. Ensure libgssapi is linked into libpq if needed (Markus Schaaf) 20. Fix ecpg's parsing of CREATE ROLE (Michael) 21. Fix recent breakage of pg_ctl restart (Tom) 22. Ensure pg_control is opened in binary mode (Itagaki Takahiro) pg_controldata and pg_resetxlog did this incorrectly, and so could fail on Windows. [8.3.6] 1. Make DISCARD ALL release advisory locks, in addition to everything it already did (Tom) This was decided to be the most appropriate behavior. This could affect existing applications, however. 2. Fix whole-index GiST scans to work correctly (Teodor) This error could cause rows to be lost if a table is clustered on a GiST index. 3. Fix crash of xmlconcat(NULL) (Peter) 4. Fix possible crash in ispell dictionary if high-bit-set characters are used as flags (Teodor) This is known to be done by one widely available Norwegian dictionary, and the same condition may exist in others. 5. Fix misordering of pg_dump output for composite types (Tom) The most likely problem was for user-defined operator classes to be dumped after indexes or views that needed them. 6. Improve handling of URLs in headline() function (Teodor) 7. Improve handling of overlength headlines in headline() function (Teodor) 8. Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom, Heikki) 9. Fix possible Assert failure if a statement executed in PL/pgSQL is rewritten into another kind of statement, for example if an INSERT is rewritten into an UPDATE (Heikki) 10. Ensure that a snapshot is available to datatype input functions (Tom) This primarily affects domains that are declared with CHECK constraints involving user-defined stable or immutable functions. Such functions typically fail if no snapshot has been set. 11. Make it safer for SPI-using functions to be used within datatype I/O; in particular, to be used in domain check constraints (Tom) 12. Avoid unnecessary locking of small tables in VACUUM (Heikki) 13. Fix a problem that sometimes kept ALTER TABLE ENABLE/DISABLE RULE from being recognized by active sessions (Tom) 14. Fix a problem that made UPDATE RETURNING tableoid return zero instead of the correct OID (Tom) 15. Allow functions declared as taking ANYARRAY to work on the pg_statistic columns of that type (Tom) This used to work, but was unintentionally broken in 8.3. 16. Fix planner misestimation of selectivity when transitive equality is applied to an outer-join clause (Tom) This could result in bad plans for queries like ... from a left join b on a.a1 = b.b1 where a.a1 = 42 ... 17. Improve optimizer's handling of long IN lists (Tom) This change avoids wasting large amounts of time on such lists when constraint exclusion is enabled. 18. Prevent synchronous scan during GIN index build (Tom) Because GIN is optimized for inserting tuples in increasing TID order, choosing to use a synchronous scan could slow the build by a factor of three or more. 19. Ensure that the contents of a holdable cursor don't depend on the contents of TOAST tables (Tom) Previously, large field values in a cursor result might be represented as TOAST pointers, which would fail if the referenced table got dropped before the cursor is read, or if the large value is deleted and then vacuumed away. This cannot happen with an ordinary cursor, but it could with a cursor that is held past its creating transaction. 20. Fix memory leak when a set-returning function is terminated without reading its whole result (Tom) 21. Fix encoding conversion problems in XML functions when the database encoding isn't UTF-8 (Tom) 22. Fix contrib/dblink's dblink_get_result(text,bool) function (Joe) 23. Fix possible garbage output from contrib/sslinfo functions (Tom) 24. Fix incorrect behavior of contrib/tsearch2 compatibility trigger when it's fired more than once in a command (Teodor) 25. Fix possible mis-signaling in autovacuum (Heikki) 26. Fix ecpg's handling of varchar structs (Michael) 27. Fix configure script to properly report failure when unable to obtain linkage information for PL/Perl (Andrew) [8.3.7] 1. Prevent error recursion crashes when encoding conversion fails (Tom) This change extends fixes made in the last two minor releases for related failure scenarios. The previous fixes were narrowly tailored for the original problem reports, but we have now recognized that any error thrown by an encoding conversion function could potentially lead to infinite recursion while trying to report the error. The solution therefore is to disable translation and encoding conversion and report the plain-ASCII form of any error message, if we find we have gotten into a recursive error reporting situation. (CVE-2009-0922) 2. Disallow CREATE CONVERSION with the wrong encodings for the specified conversion function (Heikki) 2. This prevents one possible scenario for encoding conversion failure. The previous change is a backstop to guard against other kinds of failures in the same area. 3. Fix xpath() to not modify the path expression unless necessary, and to make a saner attempt at it when necessary (Andrew) The SQL standard suggests that xpath should work on data that is a document fragment, but libxml doesn't support that, and indeed it's not clear that this is sensible according to the XPath standard. xpath attempted to work around this mismatch by modifying both the data and the path expression, but the modification was buggy and could cause valid searches to fail. Now, xpath checks whether the data is in fact a well-formed document, and if so invokes libxml with no change to the data or path expression. Otherwise, a different modification method that is somewhat less likely to fail is used. Note: The new modification method is still not 100% satisfactory, and it seems likely that no real solution is possible. This patch should therefore be viewed as a band-aid to keep from breaking existing applications unnecessarily. It is likely that PostgreSQL 8.4 will simply reject use of xpath on data that is not a well-formed document. 4. Fix core dump when to_char() is given format codes that are inappropriate for the type of the data argument (Tom) 5. Fix possible failure in text search when C locale is used with a multi-byte encoding (Teodor) Crashes were possible on platforms where wchar_t is narrower than int; Windows in particular. 6. Fix extreme inefficiency in text search parser's handling of an email-like string containing multiple @ characters (Heikki) 7. Fix planner problem with sub-SELECT in the output list of a larger subquery (Tom) The known symptom of this bug is a "failed to locate grouping columns" error that is dependent on the datatype involved; but there could be other issues as well. 8. Fix decompilation of CASE WHEN with an implicit coercion (Tom) This mistake could lead to Assert failures in an Assert-enabled build, or an "unexpected CASE WHEN clause" error message in other cases, when trying to examine or dump a view. 9. Fix possible misassignment of the owner of a TOAST table's rowtype (Tom) If CLUSTER or a rewriting variant of ALTER TABLE were executed by someone other than the table owner, the pg_type entry for the table's TOAST table would end up marked as owned by that someone. This caused no immediate problems, since the permissions on the TOAST rowtype aren't examined by any ordinary database operation. However, it could lead to unexpected failures if one later tried to drop the role that issued the command (in 8.1 or 8.2), or "owner of data type appears to be invalid" warnings from pg_dump after having done so (in 8.3). 10. Change UNLISTEN to exit quickly if the current session has never executed any LISTEN command (Tom) Most of the time this is not a particularly useful optimization, but since DISCARD ALL invokes UNLISTEN, the previous coding caused a substantial performance problem for applications that made heavy use of DISCARD ALL. 11. Fix PL/pgSQL to not treat INTO after INSERT as an INTO-variables clause anywhere in the string, not only at the start; in particular, don't fail for INSERT INTO within CREATE RULE (Tom) 12. Clean up PL/pgSQL error status variables fully at block exit (Ashesh Vashi and Dave Page) This is not a problem for PL/pgSQL itself, but the omission could cause the PL/pgSQL Debugger to crash while examining the state of a function. 13. Retry failed calls to CallNamedPipe() on Windows (Steve Marshall, Magnus) It appears that this function can sometimes fail transiently; we previously treated any failure as a hard error, which could confuse LISTEN/NOTIFY as well as other operations. [8.3.8] 1. Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus) This bug led to the often-reported "could not reattach to shared memory" error message. 2. Force WAL segment switch during pg_start_backup() (Heikki) This avoids corner cases that could render a base backup unusable. 3. Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom, Heikki) This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (See CVE-2007-6600) 4. Make LOAD of an already-loaded loadable module into a no-op (Tom) Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. 5. Disallow empty passwords during LDAP authentication (Magnus) 6. Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function (Tom) 7. Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node (Tom) 8. Prevent synchronize_seqscans from changing the results of scrollable and WITH HOLD cursors (Tom) 9. Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list (Tom) 10. Fix hash calculation for data type interval (Tom) This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating. 11. Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12' (Heikki) It was previously handled as 'th' (lowercase). 12. Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker) 13. Fix calculation of distance between a point and a line segment (Tom) This led to incorrect results from a number of geometric operators. 14. Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan (Itagaki Takahiro) 15. Fix LIKE for case where pattern contains %_ (Tom) 16. Properly round datetime input like 00:12:57.9999999999999999999999999999 (Tom) 17. Fix memory leaks in XML operations (Tom) 18. Fix poor choice of page split point in GiST R-tree operator classes (Teodor) 19. Ensure that a "fast shutdown" request will forcibly terminate open sessions, even if a "smart shutdown" was already in progress (Fujii Masao) 20. Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order (Tom) 21. Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL (Tom) 22. Fix portability issues in plperl initialization (Andrew Dunstan) 23. Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis) 24. Improve pg_dump's efficiency when there are many large objects (Tamas Vincze) 25. Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby (Heikki) 26. Make pg_standby's maxretries option behave as documented (Fujii Masao) 27. Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it (Andrew Gierth) 28. Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty) (Tom) 29. Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom) [8.3.9] 1. Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom) This change prevents allegedly-immutable index functions from possibly subverting a superuser's session (CVE-2009-4136). 2. Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus) This prevents unintended matching of a certificate to a server or client name during SSL validation (CVE-2009-4034). 3. Fix possible crash during backend-startup-time cache initialization (Tom) 4. Avoid crash on empty thesaurus dictionary (Tom) 5. Prevent signals from interrupting VACUUM at unsafe times (Alvaro) This fix prevents a PANIC if a VACUUM FULL is cancelled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table. 6. Fix possible crash due to integer overflow in hash table size calculation (Tom) This could occur with extremely large planner estimates for the size of a hashjoin's result. 7. Fix very rare crash in inet/cidr comparisons (Chris Mikkelson) 8. Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki) 9. Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki) 10. Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom) 11. Fix Windows permission-downgrade logic (Jesse Morris) This fixes some cases where the database failed to start on Windows, often with misleading error messages such as "could not locate matching postgres executable". 12. Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey) 13. Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki) It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software. 14. Ensure WAL files aren't repeatedly archived on Windows (Heikki) This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file. 15. Fix PAM password processing to be more robust (Tom) The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it. 16. Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner) While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. 17. Re-enable collection of access statistics for sequences (Akira Kurosawa) This used to work but was broken in 8.3. 18. Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom) 19. Fix incorrect handling of WHERE x=x conditions (Tom) In some cases these could get ignored as redundant, but they aren't - they're equivalent to x IS NOT NULL. 20. Make text search parser accept underscores in XML attributes (Peter) 21. Fix encoding handling in xml binary input (Heikki) If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent. 22. Fix bug with calling plperl from plperlu or vice versa (Tom) An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function. 23. Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom) 24. Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen) This worked correctly already for non-set-returning functions. 25. Fix rare crash in exception processing in PL/Python (Peter) 26. In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao) This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash. 27. Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom) [8.3.10] 1. Fix possible deadlock during backend startup (Tom) 2. Fix possible crashes due to not handling errors during relcache reload cleanly (Tom) 3. Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo) 4. Fix possible crashes when trying to recover from a failure in subtransaction start (Tom) 5. Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom) 6. Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai) This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion. 7. Make substring() for bit types treat any negative length as meaning "all the rest of the string" (Tom) The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash (CVE-2010-0442). 8. Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom) 9. Fix some cases of pathologically slow regular expression matching (Tom) 10. Fix assorted crashes in xml processing caused by sloppy memory management (Tom) This is a back-patch of changes first applied in 8.4. The 8.3 code was known buggy, but the new code was sufficiently different to not want to back-patch it until it had gotten some field testing. 11. Fix bug with trying to update a field of an element of a composite-type array column (Tom) 12. Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro) 13. Fix some more cases of temporary-file leakage (Heikki) This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler. 14. Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom) 15. When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom) This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct. 16. Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom) 17. Fix possible infinite loop if SSL_read or SSL_write fails without setting errno (Tom) This is reportedly possible with some Windows versions of openssl. 18. Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus) 19. Make ecpg report the proper SQLSTATE if the connection disappears (Michael) 20. Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki) 21. Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce) 22. Fix plpgsql failure in one case where a composite column is set to NULL (Tom) 23. Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce) 24. Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala) 25. Ensure PL/Tcl initializes the Tcl interpreter fully (Tom) The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later. 26. Prevent crash in contrib/dblink when too many key columns are specified to a dblink_build_sql_* function (Rushabh Lathia, Joe Conway) 27. Allow zero-dimensional arrays in contrib/ltree operations (Tom) This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY(SELECT ...) and the sub-select returns no rows. 28. Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom) 29. Make building of contrib/xml2 more robust on Windows (Andrew) 30. Fix race condition in Windows signal handling (Radu Ilie) One known symptom of this bug is that rows in pg_listener could be dropped under heavy load. [8.3.11] 1. Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan) Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. (CVE-2010-1169) 2. Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom) PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. (CVE-2010-1170) 3. Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki) This error was introduced in 8.3.10 while fixing a related failure. 4. Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro) This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct. 5. Do not allow an unprivileged user to reset superuser-only parameter settings (Alvaro) Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change. 6. Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom) In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message. 7. Ensure the archiver process responds to changes in archive_command as soon as possible (Tom) 8. Update pl/perl's ppport.h for modern Perl versions (Andrew) 9. Fix assorted memory leaks in pl/python (Andreas Freund, Tom) 10. Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom) 11. Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom) Addition of spaces around the decimal point in a numeric literal would result in a syntax error. 12. Fix unnecessary "GIN indexes do not support whole-index scans" errors for unsatisfiable queries using contrib/intarray operators (Tom) 13. Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara) 14. Make server startup deal properly with the case that shmget() returns EINVAL for an existing shared memory segment (Tom) This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large. 15. Avoid possible crashes in syslogger process on Windows (Heikki) 16. Deal more robustly with incomplete time zone information in the Windows registry (Magnus) [8.3.12] 1. Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane) This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). 2. Prevent possible crashes in pg_get_expr() by disallowing it from being called with an argument that is not one of the system catalog columns it's intended to be used with (Heikki Linnakangas, Tom Lane) 3. Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander) Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction. 4. Fix incorrect usage of non-strict OR joinclauses in Append indexscans (Tom Lane) This is a back-patch of an 8.4 fix that was missed in the 8.3 branch. This corrects an error introduced in 8.3.8 that could cause incorrect results for outer joins when the inner relation is an inheritance tree or UNION ALL subquery. 5. Fix possible duplicate scans of UNION ALL member relations (Tom Lane) 6. Fix "cannot handle unplanned sub-select" error (Tom Lane) This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select. 7. Fix failure to mark cached plans as transient (Tom Lane) If a plan is prepared while CREATE INDEX CONCURRENTLY is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably. 8. Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane) This should improve the system's robustness with corrupted indexes. 9. Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane) 10. Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane) 11. Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane) 12. Improve merge join's handling of NULLs in the join columns (Tom Lane) A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high. 13. Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane) This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed. 14. Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas) The original coding could result in a crash if there was limited stack space. 15. Avoid holding open old WAL segments in the walwriter process (Magnus Hagander, Heikki Linnakangas) The previous coding would prevent removal of no-longer-needed segments. 16. Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane) 17. Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis) 18. Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge) 19. Fix REASSIGN OWNED to handle operator classes and families (Asko Tiidumaa) 20. Fix possible core dump when comparing two empty tsquery values (Tom Lane) 21. Fix LIKE's handling of patterns containing % followed by _ (Tom Lane) We've fixed this before, but there were still some incorrectly-handled cases. 22. In PL/Python, defend against null pointer results from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr (Peter Eisentraut) 23. Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro) 24. Fix ecpg to process data from RETURNING clauses correctly (Michael Meskes) 25. Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane) 26. Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro) 27. Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro) [8.3.13] 1. Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane) This could result in "bad buffer id: 0" failures or corruption of index contents during replication. 2. Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis) 3. Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane) The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. 4. Add support for detecting register-stack overrun on IA64 (Tom Lane) The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. 5. Add a check for stack overflow in copyObject() (Tom Lane) Certain code paths could crash due to stack overflow given a sufficiently complex query. 6. Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas) 7. It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. 7. Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane) 8. Ensure an index that uses a whole-row Var still depends on its table (Tom Lane) An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped. 9. Do not "inline" a SQL function with multiple OUT parameters (Tom Lane) This avoids a possible crash due to loss of information about the expected result rowtype. 10. Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane) 11. Fix constant-folding of COALESCE() expressions (Tom Lane) The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. 12. Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov) 13. Fix missed unlink of temporary files when log_temp_files is active (Tom Lane) If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. 14. Add print functionality for InhRelation nodes (Tom Lane) This avoids a failure when debug_print_parse is enabled and certain types of query are executed. 15. Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane) This bug affected several different geometric distance-measurement operators. 16. Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane) 17. Fix PL/Python's handling of set-returning functions (Jan Urbanski) Attempts to call SPI functions within the iterator generating a set result would fail. 18. Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update. 19. Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro) 20. Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp) 21. Fix memory leak in contrib/xml2's XPath query functions (Tom Lane) [8.3.14] 1. Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane) If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors. 2. Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane) If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. 3. Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane) The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. 4. Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane) Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database. 5. Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane) Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type. 6. Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple) This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) 7. Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.) [8.3.15] 1. Disallow including a composite type in itself (Tom Lane) This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely. 2. Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke) In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order. 3. Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane) This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple. 4. Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane) Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired. 5. Fix PL/Python memory leak involving array slices (Daniel Popowich) 6. Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane) 7. Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno) [8.4.1] 1. Fix WAL page header initialization at the end of archive recovery (Heikki) This could lead to failure to process the WAL in a subsequent archive recovery. 2. Fix "cannot make new WAL entries during recovery" error (Tom) 3. Fix problem that could make expired rows visible after a crash (Tom) This bug involved a page status bit potentially not being set correctly after a server crash. 4. Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom, Heikki) This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (See CVE-2007-6600) 5. Make LOAD of an already-loaded loadable module into a no-op (Tom) Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. 6. Make window function PARTITION BY and ORDER BY items always be interpreted as simple expressions (Tom) In 8.4.0 these lists were parsed following the rules used for top-level GROUP BY and ORDER BY lists. But this was not correct per the SQL standard, and it led to possible circularity. 7. Fix several errors in planning of semi-joins (Tom) These led to wrong query results in some cases where IN or EXISTS was used together with another join. 8. Fix handling of whole-row references to subqueries that are within an outer join (Tom) An example is SELECT COUNT(ss.*) FROM ... LEFT JOIN (SELECT ...) ss ON .... Here, ss.* would be treated as ROW(NULL,NULL,...) for null-extended join rows, which is not the same as a simple NULL. Now it is treated as a simple NULL. 9. Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus) This bug led to the often-reported "could not reattach to shared memory" error message. 10. Fix locale handling with plperl (Heikki) This bug could cause the server's locale setting to change when a plperl function is called, leading to data corruption. 11. Fix handling of reloptions to ensure setting one option doesn't force default values for others (Itagaki Takahiro) 12. Ensure that a "fast shutdown" request will forcibly terminate open sessions, even if a "smart shutdown" was already in progress (Fujii Masao) 13. Avoid memory leak for array_agg() in GROUP BY queries (Tom) 14. Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12' (Heikki) It was previously handled as 'th' (lowercase). 15. Include the fractional part in the result of EXTRACT(second) and EXTRACT(milliseconds) for time and time with time zone inputs (Tom) This has always worked for floating-point datetime configurations, but was broken in the integer datetime code. 16. Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker) 17. Fix a typo that disabled commit_delay (Jeff Janes) 18. Output early-startup messages to postmaster.log if the server is started in silent mode (Tom) Previously such error messages were discarded, leading to difficulty in debugging. 19. Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis) 20. Fix several errors in pg_dump's --binary-upgrade mode (Bruce, Tom) pg_dump --binary-upgrade is used by pg_migrator. 21. Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty) (Tom) 22. Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom) 23. Work around gcc bug that causes "floating-point exception" instead of "division by zero" on some platforms (Tom) [8.4.2] 1. Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom) This change prevents allegedly-immutable index functions from possibly subverting a superuser's session (CVE-2009-4136). 2. Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus) This prevents unintended matching of a certificate to a server or client name during SSL validation (CVE-2009-4034). 3. Fix hash index corruption (Tom) The 8.4 change that made hash indexes keep entries sorted by hash value failed to update the bucket splitting and compaction routines to preserve the ordering. So application of either of those operations could lead to permanent corruption of an index, in the sense that searches might fail to find entries that are present. To deal with this, it is recommended to REINDEX any hash indexes you may have after installing this update. 4. Fix possible crash during backend-startup-time cache initialization (Tom) 5. Avoid crash on empty thesaurus dictionary (Tom) 6. Prevent signals from interrupting VACUUM at unsafe times (Alvaro) This fix prevents a PANIC if a VACUUM FULL is cancelled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table. 7. Fix possible crash due to integer overflow in hash table size calculation (Tom) This could occur with extremely large planner estimates for the size of a hashjoin's result. 8. Fix crash if a DROP is attempted on an internally-dependent object (Tom) 9. Fix very rare crash in inet/cidr comparisons (Chris Mikkelson) 10. Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki) 11. Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki) 12. Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom) 13. Fix memory leak in postmaster when re-parsing pg_hba.conf (Tom) 14. Fix Windows permission-downgrade logic (Jesse Morris) This fixes some cases where the database failed to start on Windows, often with misleading error messages such as "could not locate matching postgres executable". 15. Make FOR UPDATE/SHARE in the primary query not propagate into WITH queries (Tom) For example, in WITH w AS (SELECT * FROM foo) SELECT * FROM w, bar ... FOR UPDATEthe FOR UPDATE will now affect bar but not foo. This is more useful and consistent than the original 8.4 behavior, which tried to propagate FOR UPDATE into the WITH query but always failed due to assorted implementation restrictions. It also follows the design rule that WITH queries are executed as if independent of the main query. 16. Fix bug with a WITH RECURSIVE query immediately inside another one (Tom) 17. Fix concurrency bug in hash indexes (Tom) Concurrent insertions could cause index scans to transiently report wrong results. 18. Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey) 19. Fix wrong search results for a multi-column GIN index with fastupdate enabled (Teodor) 20. Fix bugs in WAL entry creation for GIN indexes (Tom) These bugs were masked when full_page_writes was on, but with it off a WAL replay failure was certain if a crash occurred before the next checkpoint. 21. Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki) It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software. 22. Ensure WAL files aren't repeatedly archived on Windows (Heikki) This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file. 23. Fix PAM password processing to be more robust (Tom) The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it. 24. Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner) While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. 25. Ensure that domain constraints are enforced in constructs like ARRAY[...]::domain, where the domain is over an array type (Heikki) 26. Fix foreign-key logic for some cases involving composite-type columns as foreign keys (Tom) 27. Ensure that a cursor's snapshot is not modified after it is created (Alvaro) This could lead to a cursor delivering wrong results if later operations in the same transaction modify the data the cursor is supposed to return. 28. Fix CREATE TABLE to properly merge default expressions coming from different inheritance parent tables (Tom) This used to work but was broken in 8.4. 29. Re-enable collection of access statistics for sequences (Akira Kurosawa) This used to work but was broken in 8.3. 30. Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom) 31. Fix incorrect handling of WHERE x=x conditions (Tom) In some cases these could get ignored as redundant, but they aren't - they're equivalent to x IS NOT NULL. 32. Fix incorrect plan construction when using hash aggregation to implement DISTINCT for textually identical volatile expressions (Tom) 33. Fix Assert failure for a volatile SELECT DISTINCT ON expression (Tom) 34. Fix ts_stat() to not fail on an empty tsvector value (Tom) 35. Make text search parser accept underscores in XML attributes (Peter) 36. Fix encoding handling in xml binary input (Heikki) If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent. 37. Fix bug with calling plperl from plperlu or vice versa (Tom) An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function. 38. Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom) 39. Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen) This worked correctly already for non-set-returning functions. 40. Fix rare crash in exception processing in PL/Python (Peter) 41. Fix ecpg problem with comments in DECLARE CURSOR statements (Michael) 42. Fix ecpg to not treat recently-added keywords as reserved words (Tom) This affected the keywords CALLED, CATALOG, DEFINER, ENUM, FOLLOWING, INVOKER, OPTIONS, PARTITION, PRECEDING, RANGE, SECURITY, SERVER, UNBOUNDED, and WRAPPER. 43. Re-allow regular expression special characters in psql's \df function name parameter (Tom) 44. In contrib/fuzzystrmatch, correct the calculation of levenshtein distances with non-default costs (Marcin Mank) 45. In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao) This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash. 46. Put FREEZE and VERBOSE options in the right order in the VACUUM command that contrib/vacuumdb produces (Heikki) 47. Fix possible leak of connections when contrib/dblink encounters an error (Tatsuhito Kasahara) 48. Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom) [8.4.3] 1. Fix possible deadlock during backend startup (Tom) 2. Fix possible crashes due to not handling errors during relcache reload cleanly (Tom) 3. Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo) 4. Fix possible crash due to overenthusiastic invalidation of cached plan for ROLLBACK (Tom) 5. Fix possible crashes when trying to recover from a failure in subtransaction start (Tom) 6. Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom) 7. Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai) This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion. 8. Fix bug in WAL redo cleanup method for GIN indexes (Heikki) 9. Fix incorrect comparison of scan key in GIN index search (Teodor) 10. Make substring() for bit types treat any negative length as meaning "all the rest of the string" (Tom) 11. he previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash (CVE-2010-0442). 12. Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom) 13. Fix some cases of pathologically slow regular expression matching (Tom) 14. Fix bug occurring when trying to inline a SQL function that returns a set of a composite type that contains dropped columns (Tom) 15. Fix bug with trying to update a field of an element of a composite-type array column (Tom) 16. Avoid failure when EXPLAIN has to print a FieldStore or assignment ArrayRef expression (Tom) These cases can arise now that EXPLAIN VERBOSE tries to print plan node target lists. 17. Avoid an unnecessary coercion failure in some cases where an undecorated literal string appears in a subquery within UNION/INTERSECT/EXCEPT (Tom) This fixes a regression for some cases that worked before 8.4. 18. Avoid undesirable rowtype compatibility check failures in some cases where a whole-row Var has a rowtype that contains dropped columns (Tom) 19. Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro) 20. Always pass the catalog ID to an option validator function specified in CREATE FOREIGN DATA WRAPPER (Martin Pihlak) 21. Fix some more cases of temporary-file leakage (Heikki) This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler. 22. Add support for doing FULL JOIN ON FALSE (Tom) This prevents a regression from pre-8.4 releases for some queries that can now be simplified to a constant-false join condition. 23. Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom) 24. Prevent treating an INOUT cast as representing binary compatibility (Heikki) 25. Include column name in the message when warning about inability to grant or revoke column-level privileges (Stephen Frost) This is more useful than before and helps to prevent confusion when a REVOKE generates multiple messages, which formerly appeared to be duplicates. 26. When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom) This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct. 27. Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom) 28. Fix possible infinite loop if SSL_read or SSL_write fails without setting errno (Tom) This is reportedly possible with some Windows versions of openssl. 29. Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus) 30. Protect ecpg against applications freeing strings unexpectedly (Michael) 31. Make ecpg report the proper SQLSTATE if the connection disappears (Michael) 32. Fix translation of cell contents in psql \d output (Heikki) 33. Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki) 34. Fix a small per-query memory leak in psql (Tom) 35. Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce) 36. Fix pg_dump's output of permissions for foreign servers (Heikki) 37. Fix possible crash in parallel pg_restore due to out-of-range dependency IDs (Tom) 38. Fix plpgsql failure in one case where a composite column is set to NULL (Tom) 39. Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce) 40. Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala) 41. Ensure PL/Tcl initializes the Tcl interpreter fully (Tom) The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later. 42. ?Prevent ExecutorEnd from being run on portals created within a failed transaction or subtransaction (Tom) This is known to cause issues when using contrib/auto_explain. 43. Prevent crash in contrib/dblink when too many key columns are specified to a dblink_build_sql_* function (Rushabh Lathia, Joe Conway) 44. Allow zero-dimensional arrays in contrib/ltree operations (Tom) This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY(SELECT ...) and the sub-select returns no rows. 45. Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom) 46. Fix race condition in Windows signal handling (Radu Ilie) One known symptom of this bug is that rows in pg_listener could be dropped under heavy load. [8.4.4] 1. Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan) Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. (CVE-2010-1169) 2. Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom) PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. (CVE-2010-1170) 3. Fix data corruption during WAL replay of ALTER ... SET TABLESPACE (Tom) When archive_mode is on, ALTER ... SET TABLESPACE generates a WAL record whose replay logic was incorrect. It could write the data to the wrong place, leading to possibly-unrecoverable data corruption. Data corruption would be observed on standby slaves, and could occur on the master as well if a database crash and recovery occurred after committing the ALTER and before the next checkpoint. 4. Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki) This error was introduced in 8.4.3 while fixing a related failure. 5. Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro) This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct. 6. Do constraint exclusion for inherited UPDATE and DELETE target tables when constraint_exclusion = partition (Tom) Due to an oversight, this setting previously only caused constraint exclusion to be checked in SELECT commands. 7. Do not allow an unprivileged user to reset superuser-only parameter settings (Alvaro) Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change. 9. Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom) In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message. 10. Fix erroneous handling of %r parameter in recovery_end_command (Heikki) The value always came out zero. 11. Ensure the archiver process responds to changes in archive_command as soon as possible (Tom) 12. Fix pl/pgsql's CASE statement to not fail when the case expression is a query that returns no rows (Tom) 13. Update pl/perl's ppport.h for modern Perl versions (Andrew) 14. Fix assorted memory leaks in pl/python (Andreas Freund, Tom) 15. Handle empty-string connect parameters properly in ecpg (Michael) 16. Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom) 17. Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom) Addition of spaces around the decimal point in a numeric literal would result in a syntax error. 18. Avoid formatting failure in psql when running in a locale context that doesn't match the client_encoding (Tom) 19. Fix unnecessary "GIN indexes do not support whole-index scans" errors for unsatisfiable queries using contrib/intarray operators (Tom) 20. Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara) 21. Make server startup deal properly with the case that shmget() returns EINVAL for an existing shared memory segment (Tom) This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large. 22. Avoid possible crashes in syslogger process on Windows (Heikki) 23. Deal more robustly with incomplete time zone information in the Windows registry (Magnus) [8.4.5] 1. Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane) This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). 2. Prevent possible crashes in pg_get_expr() by disallowing it from being called with an argument that is not one of the system catalog columns it's intended to be used with (Heikki Linnakangas, Tom Lane) 3. Treat exit code 128 (ERROR_WAIT_NO_CHILDREN) as non-fatal on Windows (Magnus Hagander) Under high load, Windows processes will sometimes fail at startup with this error code. Formerly the postmaster treated this as a panic condition and restarted the whole database, but that seems to be an overreaction. 4. Fix incorrect placement of placeholder evaluation (Tom Lane) This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list. 5. Fix possible duplicate scans of UNION ALL member relations (Tom Lane) 6. Fix "cannot handle unplanned sub-select" error (Tom Lane) This occurred when a sub-select contains a join alias reference that expands into an expression containing another sub-select. 7. Fix mishandling of whole-row Vars that reference a view or sub-select and appear within a nested sub-select (Tom Lane) 8. Fix mishandling of cross-type IN comparisons (Tom Lane) This could result in failures if the planner tried to implement an IN join with a sort-then-unique-then-plain-join plan. 9. Fix computation of ANALYZE statistics for tsvector columns (Jan Urbanski) The original coding could produce incorrect statistics, leading to poor plan choices later. 10. Improve planner's estimate of memory used by array_agg(), string_agg(), and similar aggregate functions (Hitoshi Harada) The previous drastic underestimate could lead to out-of-memory failures due to inappropriate choice of a hash-aggregation plan. 11. Fix failure to mark cached plans as transient (Tom Lane) If a plan is prepared while CREATE INDEX CONCURRENTLY is in progress for one of the referenced tables, it is supposed to be re-planned once the index is ready for use. This was not happening reliably. 12. Reduce PANIC to ERROR in some occasionally-reported btree failure cases, and provide additional detail in the resulting error messages (Tom Lane) This should improve the system's robustness with corrupted indexes. 13. Fix incorrect search logic for partial-match queries with GIN indexes (Tom Lane) Cases involving AND/OR combination of several GIN index conditions didn't always give the right answer, and were sometimes much slower than necessary. 14. Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane) 15. Defend against functions returning setof record where not all the returned rows are actually of the same rowtype (Tom Lane) 16. Fix possible corruption of pending trigger event lists during subtransaction rollback (Tom Lane) This could lead to a crash or incorrect firing of triggers. 17. Fix possible failure when hashing a pass-by-reference function result (Tao Ma, Tom Lane) 18. Improve merge join's handling of NULLs in the join columns (Tom Lane) A merge join can now stop entirely upon reaching the first NULL, if the sort order is such that NULLs sort high. 19. Take care to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) while writing them (Tom Lane) This omission could result in corrupted lockfile contents if the machine crashes shortly after postmaster start. That could in turn prevent subsequent attempts to start the postmaster from succeeding, until the lockfile is manually removed. 20. Avoid recursion while assigning XIDs to heavily-nested subtransactions (Andres Freund, Robert Haas) The original coding could result in a crash if there was limited stack space. 21. Avoid holding open old WAL segments in the walwriter process (Magnus Hagander, Heikki Linnakangas) The previous coding would prevent removal of no-longer-needed segments. 22. Fix log_line_prefix's %i escape, which could produce junk early in backend startup (Tom Lane) 23. Prevent misinterpretation of partially-specified relation options for TOAST tables (Itagaki Takahiro) In particular, fillfactor would be read as zero if any other reloption had been set for the table, leading to serious bloat. 24. Fix inheritance count tracking in ALTER TABLE ... ADD CONSTRAINT (Robert Haas) 25. Fix possible data corruption in ALTER TABLE ... SET TABLESPACE when archiving is enabled (Jeff Davis) 26. Allow CREATE DATABASE and ALTER DATABASE ... SET TABLESPACE to be interrupted by query-cancel (Guillaume Lelarge) 27. Improve CREATE INDEX's checking of whether proposed index expressions are immutable (Tom Lane) 28. Fix REASSIGN OWNED to handle operator classes and families (Asko Tiidumaa) 29. Fix possible core dump when comparing two empty tsquery values (Tom Lane) 30. Fix LIKE's handling of patterns containing % followed by _ (Tom Lane) We've fixed this before, but there were still some incorrectly-handled cases. 31. Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane) Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking. 32. Fix PL/pgSQL to throw an error, not crash, if a cursor is closed within a FOR loop that is iterating over that cursor (Heikki Linnakangas) 33. In PL/Python, defend against null pointer results from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr (Peter Eisentraut) 34. In libpq, fix full SSL certificate verification for the case where both host and hostaddr are specified (Tom Lane) 35. Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro) 36. Fix some issues in pg_dump's handling of SQL/MED objects (Tom Lane) Notably, pg_dump would always fail if run by a non-superuser, which was not intended. 37. Improve parallel pg_restore's ability to cope with selective restore (-L option) (Tom Lane) The original code tended to fail if the -L file commanded a non-default restore ordering. 38. Fix ecpg to process data from RETURNING clauses correctly (Michael Meskes) 39. Fix some memory leaks in ecpg (Zoltan Boszormenyi) 40. Improve contrib/dblink's handling of tables containing dropped columns (Tom Lane) 41. Fix connection leak after "duplicate connection name" errors in contrib/dblink (Itagaki Takahiro) 42. Fix contrib/dblink to handle connection names longer than 62 bytes correctly (Itagaki Takahiro) [8.4.6] 1. Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane) This could result in "bad buffer id: 0" failures or corruption of index contents during replication. 2. Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis) 3. Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane) The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. 4. Add support for detecting register-stack overrun on IA64 (Tom Lane) The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. 5. Add a check for stack overflow in copyObject() (Tom Lane) Certain code paths could crash due to stack overflow given a sufficiently complex query. 6. Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas) It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. 7. Fix error checking during early connection processing (Tom Lane) The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays. 8. Improve efficiency of window functions (Tom Lane) Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem. 9. Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane) 10. Ensure an index that uses a whole-row Var still depends on its table (Tom Lane) An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped. 11. Do not "inline" a SQL function with multiple OUT parameters (Tom Lane) This avoids a possible crash due to loss of information about the expected result rowtype. 12. Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane) 13. Fix constant-folding of COALESCE() expressions (Tom Lane) The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. 14. Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov) 15. Fix missed unlink of temporary files when log_temp_files is active (Tom Lane) If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. 16. Add print functionality for InhRelation nodes (Tom Lane) This avoids a failure when debug_print_parse is enabled and certain types of query are executed. 17. Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane) This bug affected several different geometric distance-measurement operators. 18. Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro) 19. Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane) 20. Fix PL/Python's handling of set-returning functions (Jan Urbanski) Attempts to call SPI functions within the iterator generating a set result would fail. 21. Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update. 22. Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro) 23. Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp) 26. Fix memory leak in contrib/xml2's XPath query functions (Tom Lane) [8.4.7] 1. Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane) If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors. 2. Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane) If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. 3. Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane) The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. 4. Fix pg_restore's text output for large objects (BLOBs) when standard_conforming_strings is on (Tom Lane) Although restoring directly to a database worked correctly, string escaping was incorrect if pg_restore was asked for SQL text output and standard_conforming_strings had been enabled in the source database. 5. Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane) Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type. 6. Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple) This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) 7. Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.) [8.4.8] 1. Fix pg_upgrade's handling of TOAST tables (Bruce Momjian) The pg_class.relfrozenxid value for TOAST tables was not correctly copied into the new installation during pg_upgrade. This could later result in pg_clog files being discarded while they were still needed to validate tuples in the TOAST tables, leading to "could not access status of transaction" failures. This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade. 2. Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning (Heikki Linnakangas) VACUUM would sometimes issue this warning in cases that are actually valid. 3. Disallow including a composite type in itself (Tom Lane) This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely. 4. Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke) In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order. 5. Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane) This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple. 6. Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane) Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired. 7. Prevent crash triggered by constant-false WHERE conditions during GEQO optimization (Tom Lane) 8. Fix selectivity estimation for text search to account for NULLs (Jesper Krogh) 9. Improve PL/pgSQL's ability to handle row types with dropped columns (Pavel Stehule) This is a back-patch of fixes previously made in 9.0. 10. Fix PL/Python memory leak involving array slices (Daniel Popowich) 11. Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane) 12. Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno) [9.0.1] 1. Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane) This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner. The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already. It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes. Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433). 2. Improve pg_get_expr() security fix so that the function can still be used on the output of a sub-select (Tom Lane) 3. Fix incorrect placement of placeholder evaluation (Tom Lane) This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list. 4. Fix join removal's handling of placeholder expressions (Tom Lane) 5. Fix possible duplicate scans of UNION ALL member relations (Tom Lane) 6. Prevent infinite loop in ProcessIncomingNotify() after unlistening (Jeff Davis) 7. Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane) 8. Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane) Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking. 9. Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro) [9.0.2] 1. Fix "too many KnownAssignedXids" error during Hot Standby replay (Heikki Linnakangas) 2. Fix race condition in lock acquisition during Hot Standby (Simon Riggs) 3. Avoid unnecessary conflicts during Hot Standby (Simon Riggs) This fixes some cases where replay was considered to conflict with standby queries (causing delay of replay or possibly cancellation of the queries), but there was no real conflict. 4. Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane) This could result in "bad buffer id: 0" failures or corruption of index contents during replication. 5. Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis) 6. Fix corner-case bug when streaming replication is enabled immediately after creating the master database cluster (Heikki Linnakangas) 7. Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane) The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly. 8. Fix long-term memory leak in autovacuum launcher (Alvaro Herrera) 9. Avoid failure when trying to report an impending transaction wraparound condition from outside a transaction (Tom Lane) This oversight prevented recovery after transaction wraparound got too close, because database startup processing would fail. 10. Add support for detecting register-stack overrun on IA64 (Tom Lane) The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both. 11. Add a check for stack overflow in copyObject() (Tom Lane) Certain code paths could crash due to stack overflow given a sufficiently complex query. 12. Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas) It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued. 13. Fix error checking during early connection processing (Tom Lane) The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays. 14. Improve efficiency of window functions (Tom Lane) Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem. 15. Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane) 16. Ensure an index that uses a whole-row Var still depends on its table (Tom Lane) An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped. 17. Add missing support in DROP OWNED BY for removing foreign data wrapper/server privileges belonging to a user (Heikki Linnakangas) 18. Do not "inline" a SQL function with multiple OUT parameters (Tom Lane) This avoids a possible crash due to loss of information about the expected result rowtype. 19. Fix crash when inline-ing a set-returning function whose argument list contains a reference to an inline-able user function (Tom Lane) 20. Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane) 21. Make the OFF keyword unreserved (Heikki Linnakangas) This prevents problems with using off as a variable name in PL/pgSQL. That worked before 9.0, but was now broken because PL/pgSQL now treats all core reserved words as reserved. 22. Fix constant-folding of COALESCE() expressions (Tom Lane) The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors. 23. Fix "could not find pathkey item to sort" planner failure with comparison of whole-row Vars (Tom Lane) 24. Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov) 25. Retry after receiving an invalid response packet from a RADIUS authentication server (Magnus Hagander) This fixes a low-risk potential denial of service condition. 26. Fix missed unlink of temporary files when log_temp_files is active (Tom Lane) If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files. 27. Add print functionality for InhRelation nodes (Tom Lane) This avoids a failure when debug_print_parse is enabled and certain types of query are executed. 28. Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane) This bug affected several different geometric distance-measurement operators. 29. Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro) 30. Fix errors in psql's Unicode-escape support (Tom Lane) 31. Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane) 32. Fix PL/pgSQL's error reporting for no-such-column cases (Tom Lane) As of 9.0, it would sometimes report "missing FROM-clause entry for table foo" when "record foo has no field bar" would be more appropriate. 33. Fix PL/Python to honor typmod (i.e., length or precision restrictions) when assigning to tuple fields (Tom Lane) This fixes a regression from 8.4. 34. Fix PL/Python's handling of set-returning functions (Jan Urbanski) Attempts to call SPI functions within the iterator generating a set result would fail. 35. Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update. 36. Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro) 37. Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp) 38. Fix buffer overrun in contrib/pg_upgrade (Hernan Gonzalez) 39. Fix memory leak in contrib/xml2's XPath query functions (Tom Lane) [9.0.3] 1. Before exiting walreceiver, ensure all the received WAL is fsync'd to disk (Heikki Linnakangas) Otherwise the standby server could replay some un-synced WAL, conceivably leading to data corruption if the system crashes just at that point. 2. Avoid excess fsync activity in walreceiver (Heikki Linnakangas) 3. Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed (Noah Misch) This was broken in 9.0 by a change that was intended to suppress revalidation during VACUUM FULL and CLUSTER, but unintentionally affected ALTER TABLE as well. 4. Fix EvalPlanQual for UPDATE of an inheritance tree in which the tables are not all alike (Tom Lane) Any variation in the table row types (including dropped columns present in only some child tables) would confuse the EvalPlanQual code, leading to misbehavior or even crashes. Since EvalPlanQual is only executed during concurrent updates to the same row, the problem was only seen intermittently. 5. Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane) If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors. 6. Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane) If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash. 7. Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane) The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity. 8. Fix PL/Python crash when an array contains null entries (Alex Hunsaker) 9. Remove ecpg's fixed length limit for constants defining an array dimension (Michael Meskes) 10. Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane) Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type. 11. Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple) This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015) 12. Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov) This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.) [9.0.4] 1. Fix pg_upgrade's handling of TOAST tables (Bruce Momjian) The pg_class.relfrozenxid value for TOAST tables was not correctly copied into the new installation during pg_upgrade. This could later result in pg_clog files being discarded while they were still needed to validate tuples in the TOAST tables, leading to "could not access status of transaction" failures. This error poses a significant risk of data loss for installations that have been upgraded with pg_upgrade. This patch corrects the problem for future uses of pg_upgrade, but does not in itself cure the issue in installations that have been processed with a buggy version of pg_upgrade. 2. Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning (Heikki Linnakangas) VACUUM would sometimes issue this warning in cases that are actually valid. 3. Prevent intermittent hang in interactions of startup process with bgwriter process (Simon Riggs) This affected recovery in non-hot-standby cases. 4. Disallow including a composite type in itself (Tom Lane) This prevents scenarios wherein the server could recurse infinitely while processing the composite type. While there are some possible uses for such a structure, they don't seem compelling enough to justify the effort required to make sure it always works safely. 5. Avoid potential deadlock during catalog cache initialization (Nikhil Sontakke) In some cases the cache loading code would acquire share lock on a system index before locking the index's catalog. This could deadlock against processes trying to acquire exclusive locks in the other, more standard order. 6. Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple (Tom Lane) This bug has been observed to result in intermittent "cannot extract system attribute from virtual tuple" failures while trying to do UPDATE RETURNING ctid. There is a very small probability of more serious errors, such as generating incorrect index entries for the updated tuple. 7. Disallow DROP TABLE when there are pending deferred trigger events for the table (Tom Lane) Formerly the DROP would go through, leading to "could not open relation with OID nnn" errors when the triggers were eventually fired. 8. Allow "replication" as a user name in pg_hba.conf (Andrew Dunstan) "replication" is special in the database name column, but it was mistakenly also treated as special in the user name column. 9. Prevent crash triggered by constant-false WHERE conditions during GEQO optimization (Tom Lane) 10. Improve planner's handling of semi-join and anti-join cases (Tom Lane) 11. Fix handling of SELECT FOR UPDATE in a sub-SELECT (Tom Lane) This bug typically led to "cannot extract system attribute from virtual tuple" errors. 12. Fix selectivity estimation for text search to account for NULLs (Jesper Krogh) 13. Fix get_actual_variable_range() to support hypothetical indexes injected by an index adviser plugin (Gurjeet Singh) 14. Fix PL/Python memory leak involving array slices (Daniel Popowich) 15. Allow libpq's SSL initialization to succeed when user's home directory is unavailable (Tom Lane) If the SSL mode is such that a root certificate file is not required, there is no need to fail. This change restores the behavior to what it was in pre-9.0 releases. 16. Fix libpq to return a useful error message for errors detected in conninfo_array_parse (Joseph Adams) A typo caused the library to return NULL, rather than the PGconn structure containing the error message, to the application. 17. Fix ecpg preprocessor's handling of float constants (Heikki Linnakangas) 18. Fix parallel pg_restore to handle comments on POST_DATA items correctly (Arnd Hannemann) 19. Fix pg_restore to cope with long lines (over 1KB) in TOC files (Tom Lane) 20. Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization (Aurelien Jarno) 21. Avoid crash when trying to write to the Windows console very early in process startup (Rushabh Lathia)