Release date: 2018-08-09
This release contains a variety of fixes from 10.4. For information about new features in major release 10, see Section E.7.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.4, see Section E.3.
Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink
or postgres_fdw
could bypass the checks intended
to prevent use of server-side credentials, such as
a ~/.pgpass
file owned by the operating-system
user running the server. Servers allowing peer authentication on
local connections are particularly vulnerable. Other attacks such
as SQL injection into a postgres_fdw
session
are also possible.
Attacking postgres_fdw
in this way requires the
ability to create a foreign server object with selected connection
parameters, but any user with access to dblink
could exploit the problem.
In general, an attacker with the ability to select the connection
parameters for a libpq-using application
could cause mischief, though other plausible attack scenarios are
harder to think of.
Our thanks to Andrew Krasichkov for reporting this issue.
(CVE-2018-10915)
Fix INSERT ... ON CONFLICT UPDATE
through a view
that isn't just SELECT * FROM ...
(Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes
or “attribute ... has the wrong type” errors, if the
view's SELECT
list doesn't match one-to-one with
the underlying table's columns.
Furthermore, this bug could be leveraged to allow updates of columns
that an attacking user lacks UPDATE
privilege for,
if that user has INSERT
and UPDATE
privileges for some other column(s) of the table.
Any user could also use it for disclosure of server memory.
(CVE-2018-10925)
Ensure that updates to the relfrozenxid
and relminmxid
values
for “nailed” system catalogs are processed in a timely
fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being
seen by other sessions, leading to spurious errors and/or data
corruption. The problem was significantly worse for shared catalogs,
such as pg_authid
, because the stale cache
data could persist into new sessions as well as existing ones.
Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Álvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
During WAL replay, guard against corrupted record lengths exceeding 1GB (Michael Paquier)
Treat such a case as corrupt data. Previously, the code would try to allocate space and get a hard error, making recovery impossible.
When ending recovery, delay writing the timeline history file as long as possible (Heikki Linnakangas)
This avoids some situations where a failure during recovery cleanup (such as a problem with a two-phase state file) led to inconsistent timeline state on-disk.
Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
Ensure that a snapshot is provided when executing data type input functions in logical replication subscribers (Minh-Quan Tran, Álvaro Herrera)
This omission led to failures in some cases, such as domains with constraints using SQL-language functions.
Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Álvaro Herrera)
Add subtransaction handling in logical-replication table synchronization workers (Amit Khandekar, Robert Haas)
Previously, table synchronization could misbehave if any subtransactions were aborted after modifying a table being synchronized.
Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
Pad arrays of unnamed POSIX semaphores to reduce cache line sharing (Thomas Munro)
This reduces contention on many-CPU systems, fixing a performance regression (compared to previous releases) on Linux and FreeBSD.
Ensure that a process doing a parallel index scan will respond to signals (Amit Kapila)
Previously, parallel workers could get stuck waiting for a lock on an index page, and not notice requests to abort the query.
Ensure that VACUUM
will respond to signals
within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
Fix hash-join costing mistake introduced with inner_unique optimization (David Rowley)
This could lead to bad plan choices in situations where that optimization was applicable.
Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
Fix planner to avoid “ORDER/GROUP BY expression not found in targetlist” errors in some queries with set-returning functions (Tom Lane)
Fix handling of partition keys whose data type uses a polymorphic btree operator class, such as arrays (Amit Langote, Álvaro Herrera)
Fix SQL-standard FETCH FIRST
syntax to allow
parameters ($
), as the
standard expects (Andrew Gierth)
n
Remove undocumented restriction against duplicate partition key columns (Yugo Nagata)
Disallow temporary tables from being partitions of non-temporary tables (Amit Langote, Michael Paquier)
While previously allowed, this case didn't work reliably.
Fix EXPLAIN
's accounting for resource usage,
particularly buffer accesses, in parallel workers
(Amit Kapila, Robert Haas)
Fix SHOW ALL
to show all settings to roles that are
members of pg_read_all_settings
, and also allow
such roles to see source filename and line number in
the pg_settings
view (Laurenz Albe,
Álvaro Herrera)
Fix failure to schema-qualify some object names
in getObjectDescription
and getObjectIdentity
output
(Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, text search objects, publication relations, and extended statistics objects were not schema-qualified when they should be.
Fix CREATE AGGREGATE
type checking so that
parallelism support functions can be attached to variadic aggregates
(Alexey Bashtanov)
Widen COPY FROM
's current-line-number counter
from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY
FROM WITH HEADER
would drop a line every 4G lines, not only
the first line, and error reports could show a wrong line number.
Allow replication slots to be dropped in single-user mode (Álvaro Herrera)
This use-case was accidentally broken in release 10.0.
Fix incorrect results from variance(int4)
and
related aggregates when run in parallel aggregation mode
(David Rowley)
Process TEXT
and CDATA
nodes
correctly in xmltable()
column expressions
(Markus Winand)
Cope with possible failure of OpenSSL's
RAND_bytes()
function
(Dean Rasheed, Michael Paquier)
Under rare circumstances, this oversight could result in “could not generate random cancel key” failures that could only be resolved by restarting the postmaster.
Fix libpq's handling of some cases
where hostaddr
is specified
(Hari Babu, Tom Lane, Robert Haas)
PQhost()
gave misleading or incorrect results
in some cases. Now, it uniformly returns the host name if specified,
or the host address if only that is specified, or the default host
name (typically /tmp
or localhost
) if both parameters are omitted.
Also, the wrong value might be compared to the server name when verifying an SSL certificate.
Also, the wrong value might be compared to the host name field in
~/.pgpass
. Now, that field is compared to the
host name if specified, or the host address if only that is specified,
or localhost
if both parameters are omitted.
Also, an incorrect error message was reported for an unparseable
hostaddr
value.
Also, when the host
, hostaddr
,
or port
parameters contain comma-separated
lists, libpq is now more careful to treat
empty elements of a list as selecting the default behavior.
Add a string freeing function
to ecpg's pgtypes
library, so that cross-module memory management problems can be
avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free
call
for a given chunk of memory is not made from the same DLL
that malloc
'ed the memory.
The pgtypes
library sometimes returns strings
that it expects the caller to free, making it impossible to follow
this rule. Add a PGTYPESchar_free()
function
that just wraps free
, allowing applications
to follow this rule.
Fix ecpg's support for long
long
variables on Windows, as well as other platforms that
declare strtoll
/strtoull
nonstandardly or not at all (Dang Minh Huong, Tom Lane)
Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to
enforce the INTO STRICT
option as expected.
Fix password prompting in client programs so that echo is properly
disabled on Windows when stdin
is not the
terminal (Matthew Stickney)
Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path
and
other list-valued variables in pg_dump
output turned out to misbehave for empty-string list elements, and it
risked truncation of long file paths.
Fix pg_dump's failure to
dump REPLICA IDENTITY
properties for constraint
indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those
created by declaring UNIQUE
or PRIMARY
KEY
constraints.
Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
Fix contrib/hstore_plperl
to look through Perl
scalar references, and to not crash if it doesn't find a hash
reference where it expects one (Tom Lane)
Fix crash in contrib/ltree
's
lca()
function when the input array is empty
(Pierre Ducroquet)
Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
Rearrange makefiles to ensure that programs link to freshly-built
libraries (such as libpq.so
) rather than ones
that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of “daylight savings”
in Ireland, as well as for some past years in Namibia and
Czechoslovakia. In those jurisdictions, legally standard time is
observed in summer, and daylight savings time in winter, so that the
daylight savings offset is one hour behind standard time not one hour
ahead. This does not affect either the actual UTC offset or the
timezone abbreviations in use; the only known effect is that
the is_dst
column in
the pg_timezone_names
view will now be true
in winter and false in summer in these cases.