Release date: 2018-03-01
This release contains a variety of fixes from 9.5.11. For information about new features in the 9.5 major release, see Section E.33.
A dump/restore is not required for those running 9.5.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 9.5.10, see Section E.23.
Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
Using a search_path
setting that includes any
schemas writable by a hostile user enables that user to capture
control of queries and then run arbitrary SQL code with the
permissions of the attacked user. While it is possible to write
queries that are proof against such hijacking, it is notationally
tedious, and it's very easy to overlook holes. Therefore, we now
recommend configurations in which no untrusted schemas appear in
one's search path. Relevant documentation appears in
Section 5.8.6 (for database administrators and users),
Section 34.1 (for application authors),
Section 38.16.1 (for extension authors), and
CREATE FUNCTION (for authors
of SECURITY DEFINER
functions).
(CVE-2018-1058)
Avoid use of insecure search_path
settings
in pg_dump and other client programs
(Noah Misch, Tom Lane)
pg_dump,
pg_upgrade,
vacuumdb and
other PostgreSQL-provided applications were
themselves vulnerable to the type of hijacking described in the previous
changelog entry; since these applications are commonly run by
superusers, they present particularly attractive targets. To make them
secure whether or not the installation as a whole has been secured,
modify them to include only the pg_catalog
schema in their search_path
settings.
Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by
these programs — for example, user-provided functions in index
expressions — the tighter search_path
may
result in errors, which will need to be corrected by adjusting those
user-provided functions to not assume anything about what search path
they are invoked under. That has always been good practice, but now
it will be necessary for correct behavior.
(CVE-2018-1058)
Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (WITH
clause reference) is used in an
InitPlan or SubPlan, and the query requires a recheck due to trying
to update or lock a concurrently-updated row, incorrect results could
be obtained.
Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to “left and right pathkeys do not match in mergejoin” or “outer pathkeys do not match mergeclauses” planner errors in corner cases.
Repair pg_upgrade's failure to
preserve relfrozenxid
for materialized
views (Tom Lane, Andres Freund)
This oversight could lead to data corruption in materialized views
after an upgrade, manifesting as “could not access status of
transaction” or “found xmin from before
relfrozenxid” errors. The problem would be more likely to
occur in seldom-refreshed materialized views, or ones that were
maintained only with REFRESH MATERIALIZED VIEW
CONCURRENTLY
.
If such corruption is observed, it can be repaired by refreshing the
materialized view (without CONCURRENTLY
).
Fix incorrect reporting of PL/Python function names in
error CONTEXT
stacks (Tom Lane)
An error occurring within a nested PL/Python function call (that is,
one reached via a SPI query from another PL/Python function) would
result in a stack trace showing the inner function's name twice,
rather than the expected results. Also, an error in a nested
PL/Python DO
block could result in a null pointer
dereference crash on some platforms.
Allow contrib/auto_explain
's
log_min_duration
setting to range up
to INT_MAX
, or about 24 days instead of 35 minutes
(Tom Lane)