Disable abbreviated keys for string sorting in non-C locales (Robert Haas)

PostgreSQL 9.5 introduced logic for speeding up comparisons of string data types by using the standard C library function strxfrm() as a substitute for strcoll(). It now emerges that most versions of glibc (Linux's implementation of the C library) have buggy implementations of strxfrm() that, in some locales, can produce string comparison results that do not match strcoll(). Until this problem can be better characterized, disable the optimization in all non-C locales. (C locale is safe since it uses neither strcoll() nor strxfrm().)

Unfortunately, this problem affects not only sorting but also entry ordering in B-tree indexes, which means that B-tree indexes on text, varchar, or char columns may now be corrupt if they sort according to an affected locale and were built or modified under PostgreSQL 9.5.0 or 9.5.1. Users should REINDEX indexes that might be affected.

It is not possible at this time to give an exhaustive list of known-affected locales. C locale is known safe, and there is no evidence of trouble in English-based locales such as en_US, but some other popular locales such as de_DE are affected in most glibc versions.

Maintain row-security status properly in cached plans (Stephen Frost)

In a session that performs queries as more than one role, the plan cache might incorrectly re-use a plan that was generated for another role ID, thus possibly applying the wrong set of policies when row-level security (RLS) is in use. (CVE-2016-2193)

Add must-be-superuser checks to some new contrib/pageinspect functions (Andreas Seltenreich)

Most functions in the pageinspect extension that inspect bytea values disallow calls by non-superusers, but brin_page_type() and brin_metapage_info() failed to do so. Passing contrived bytea values to them might crash the server or disclose a few bytes of server memory. Add the missing permissions checks to prevent misuse. (CVE-2016-3065)

Fix incorrect handling of indexed ROW() comparisons (Simon Riggs)

Flaws in a minor optimization introduced in 9.5 caused incorrect results if the ROW() comparison matches the index ordering partially but not exactly (for example, differing column order, or the index contains both ASC and DESC columns). Pending a better solution, the optimization has been removed.

Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)

An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.

Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)

Fix incorrect behavior when rechecking a just-modified row in a query that does SELECT FOR UPDATE/SHARE and contains some relations that need not be locked (Tom Lane)

Rows from non-locked relations were incorrectly treated as containing all NULLs during the recheck, which could result in incorrectly deciding that the updated row no longer passes the WHERE condition, or in incorrectly outputting NULLs.

Fix bug in json_to_record() when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)

Fix nonsense result from two-argument form of jsonb_object() when called with empty arrays (Michael Paquier, Andrew Dunstan)

Fix misbehavior in jsonb_set() when converting a path array element into an integer for use as an array subscript (Michael Paquier)

Fix misformatting of negative time zone offsets by to_char()'s OF format code (Thomas Munro, Tom Lane)

Fix possible incorrect logging of waits done by INSERT ... ON CONFLICT (Peter Geoghegan)

Log messages would sometimes claim that the wait was due to an exclusion constraint although no such constraint was responsible.

Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)

Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.

Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)

Fix assorted bugs in logical decoding (Andres Freund)

Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of “subxact logged without previous toplevel record”, and incorrect reporting of a transaction's commit time.

Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)

Fix memory leak in GIN index searches (Tom Lane)

Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)

Fix parsing of affix files for ispell dictionaries (Tom Lane)

The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.

Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)

This dodges a portability problem on FreeBSD-derived platforms (including macOS).

Fix atomic-operations code used on PPC with IBM's xlc compiler (Noah Misch)

This error led to rare failures of concurrent operations on that platform.

Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)

This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.

Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)

Fix psql's tab completion for SECURITY LABEL (Tom Lane)

Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.

Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)

This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.

Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)

The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.

Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)

In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)

Blind application of the script in such cases would result in loss of the new data directory.

In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)

Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)

Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)

Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)

Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).