PostgreSQL Changelog

What's new in PostgreSQL 16.2

Feb 9, 2024

Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (Heikki Linnakangas)
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. Fix things so that all user-determined code is run as the view's owner, as expected.
The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2024-0985)
Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)
There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.
Avoid generating incorrect partitioned-join plans (Richard Guo)
Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target list”, or executor crashes.
Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)
This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.
Fix misprocessing of window function run conditions (Richard Guo)
This oversight could lead to “WindowFunc not found in subplan target lists” errors.
Fix detection of inner-side uniqueness for Memoize plans (Richard Guo)
This mistake could lead to “cache entry already complete” errors.
Fix computation of nullingrels when constant-folding field selection (Richard Guo)
Failure to do this led to errors like “wrong varnullingrels (b) (expected (b 3)) for Var 2/2”.
Skip inappropriate actions when MERGE causes a cross-partition update (Dean Rasheed)
When executing a MERGE UPDATE action on a partitioned table, if the UPDATE is turned into a DELETE and INSERT due to changing a partition key column, skip firing AFTER UPDATE ROW triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regular UPDATE doesn't do them in such cases; MERGE shouldn't either.
Cope with BEFORE ROW DELETE triggers in cross-partition MERGE updates (Dean Rasheed)
If such a trigger attempted to prevent the update by returning NULL, MERGE would suffer an error or assertion failure.
Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE triggers (Alexander Lakhin, Tom Lane)
If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.
Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)
The limiting value was too large, allowing “invalid DSA memory alloc request size” errors to occur with sufficiently large expected hash table sizes.
Fix corruption of local buffer state when an error occurs while trying to extend a temporary table (Tender Wang)
Fix use of wrong tuple slot while evaluating DISTINCT aggregates that have multiple arguments (David Rowley)
This mistake could lead to errors such as “attribute 1 of type record has wrong type”.
Avoid assertion failures in heap_update() and heap_delete() when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)
This error had no impact in non-assert builds.
Fix possible failure during ALTER TABLE ADD COLUMN on a complex inheritance tree (Tender Wang)
If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by self”.
Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING commands (Tender Wang, Michael Paquier)
Fix DROP ROLE with duplicate role names (Michael Paquier)
Previously this led to a “tuple already updated by self” failure. Instead, ignore the duplicate.
Properly lock the associated table during DROP STATISTICS (Tomas Vondra)
Failure to acquire the lock could result in “tuple concurrently deleted” errors if the DROP executes concurrently with ANALYZE.
Fix function volatility checking for GENERATED and DEFAULT expressions (Tom Lane)
These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN.
Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)
We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.
Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)
Computing 0 - INT64_MIN should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN.
Detect Julian-date overflow when adding or subtracting an interval to/from a timestamp (Tom Lane)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Add more checks for overflow in interval_mul() and interval_div() (Dean Rasheed)
Some cases that should cause an out-of-range error produced an incorrect result instead.
Allow scram_SaltedPassword() to be interrupted (Bowen Shi)
With large scram_iterations values, this function could take a long time to run. Allow it to be interrupted by query cancel requests.
Ensure cached statistics are discarded after a change to stats_fetch_consistency (Shinya Kato)
In some code paths, it was possible for stale statistics to be returned.
Make the pg_file_settings view check validity of unapplied values for settings with backend or superuser-backend context (Tom Lane)
Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.
Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)
Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.
Avoid failure if a child index is dropped concurrently with REINDEX INDEX on a partitioned index (Fei Changhong)
Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)
The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.
Avoid premature release of buffer pin in GIN index insertion (Tom Lane)
If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource owner”.
Avoid failure with partitioned SP-GiST indexes (Tom Lane)
Trying to use an index of this kind could lead to “No such file or directory” errors.
Fix ownership tests for large objects (Tom Lane)
Operations on large objects that require ownership privilege failed with “unrecognized class ID: 2613”, unless run by a superuser.
Fix ownership change reporting for large objects (Tom Lane)
A no-op ALTER LARGE OBJECT OWNER command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook, probably confusing any extension using that hook.
Fix reporting of I/O timing data in EXPLAIN (BUFFERS) (Michael Paquier)
The numbers labeled as “shared/local” actually refer only to shared buffers, so change that label to “shared”.
Ensure durability of CREATE DATABASE (Noah Misch)
If an operating system crash occurred during or shortly after CREATE DATABASE, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory, PG_VERSION file, or pg_filenode.map file was missing or empty.
Add more LOG messages when starting and ending recovery from a backup (Andres Freund)
This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems.
Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)
The startedInRecovery flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.
Fix signal handling in walreceiver processes (Heikki Linnakangas)
Revert a change that made walreceivers non-responsive to SIGTERM while waiting for the replication connection to be established.
Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro)
This bug appears to be only latent except when running a 32-bit PostgreSQL build on a 64-bit platform.
Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)
One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.
Ensure that column default values are correctly transmitted by the pgoutput logical replication plugin (Nikhil Benesch)
ALTER TABLE ADD COLUMN with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table, pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber.
Fix failure of logical replication's initial sync for a table with no columns (Vignesh C)
This case generated an improperly-formatted COPY command.
Re-validate a subscription's connection string before use (Vignesh C)
This is meant to detect cases where a subscription was created without a password (which is allowed to superusers) but then the subscription owner is changed to a non-superuser.
Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)
In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook.
Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)
Use the BIO “app_data” field for our private storage, instead of assuming it's okay to use the “data” field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.
Be more wary about OpenSSL not setting errno on error (Tom Lane)
If errno isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Success”.
Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest function fails (Heikki Linnakangas)
Fix minor memory leak in connection string validation for CREATE SUBSCRIPTION (Jeff Davis)
Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY, not ERRCODE_INTERNAL_ERROR (Alexander Kuzmenkov)
In PL/pgSQL, support SQL commands that are CREATE FUNCTION/CREATE PROCEDURE with SQL-standard bodies (Tom Lane)
Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.
Fix libpq's handling of errors in pipelines (Álvaro Herrera)
The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.
Make libpq's PQsendFlushRequest() function flush the client output buffer under the same rules as other PQsend functions (Jelte Fennema-Nio)
In pipeline mode, it may still be necessary to call PQflush() as well; but this change removes some inconsistency.
Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)
Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)
When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retried”.
Change initdb to always un-comment the postgresql.conf entries for the lc_xxx parameters (Kyotaro Horiguchi)
initdb used to work this way before v16, and now it does again. The change caused initdb's --no-locale option to not have the intended effect on lc_messages.
In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)
Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).
In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)
This conforms to the behavior for other dependent objects such as indexes.
Properly detect out-of-memory in one code path in pg_dump (Daniel Gustafsson)
Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy)
Previously, pgbench would behave oddly if a startpipeline command lacked a matching endpipeline. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error.
In contrib/bloom, fix overly tight assertion about false_positive_rate (Alexander Lakhin)
Fix crash in contrib/intarray if an array with an element equal to INT_MAX is inserted into a gist__int_ops index (Alexander Lakhin, Tom Lane)
Report a better error when contrib/pageinspect's hash_bitmap_info() function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)
Report a better error when contrib/pgstattuple's pgstathashindex() function is applied to a partitioned hash index (Alexander Lakhin)
On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)
When launching a child process via cmd.exe, pass the /D flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.
Move is_valid_ascii() from mb/pg_wchar.h to utils/ascii.h (Jubilee Young)
This change avoids the need to include in pg_wchar.h, which was causing problems for some third-party code.
Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)
Fix compilation failure of WAL_DEBUG code on Windows (Bharath Rupireddy)
Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.
Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)
Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.

New in PostgreSQL 16.1 (Nov 10, 2023)

Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)
This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869)
Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Prevent de-duplication of btree index entries for interval columns (Noah Misch)
There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.
Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.
Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.
Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL condition on one of the partition keys could result in a crash.
Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)
In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.
Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY(ARRAY[])) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)
Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie)
The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.
Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported” would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)
Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie)
Fix bulk table insertion into partitioned tables (Andres Freund)
Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.
In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)
This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.
In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.
Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).
Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control in frontend programs (Thomas Munro)
On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.
Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)
Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)
This could result in some statistics about WAL I/O being forgotten in a shutdown.
Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)
These were counted as normal-table writes when they should be counted as temp-table writes.
When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)
Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.
Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)
Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.
Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
Fix error-handling bug in RECORD type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)
Fix order of operations in GenericXLogFinish (Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner)
Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)
Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki)
Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.
Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley)
In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.
Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or

New in PostgreSQL 16.0 (Sep 14, 2023)

New in PostgreSQL 15.2 (May 11, 2023)

Prevent CREATE SCHEMA from defeating changes in search_path (Alexander Lakhin)
Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455)
Fix potential corruption of the template (source) database after CREATE DATABASE with the STRATEGY WAL_LOG option (Nathan Bossart, Ryo Matsumura)
Improper buffer handling created a risk that any later modification of the template's pg_class catalog would be lost.
Fix memory leakage and unnecessary disk reads during CREATE DATABASE with the STRATEGY WAL_LOG option (Andres Freund)
Avoid crash when the new schema name is omitted in CREATE SCHEMA (Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.
Fix various planner failures with MERGE commands (Tom Lane)
Planning could fail with errors like “variable not found in subplan target list” or “PlaceHolderVar found where not expected”.
Fix the row count reported by MERGE for some corner cases (Dean Rasheed)
The row count reported in the command tag counted rows that actually hadn't been modified due to a BEFORE ROW trigger returning NULL. This is inconsistent with what happens in plain UPDATE or DELETE, so change it to not count such rows. Also, avoid counting a row twice when MERGE moves it into a different partition of a partitioned table.
Fix MERGE problems with concurrent updates (Dean Rasheed, Álvaro Herrera)
Some cases misbehaved if a row to be updated or deleted by MERGE had just been updated by a concurrent transaction. This could lead to a crash, or the wrong merge action being executed, or no action at all.
Add support for decompiling MERGE commands (Álvaro Herrera)
This was overlooked when MERGE was added, but it's essential support for MERGE in new-style SQL functions.
Fix enabling/disabling of foreign-key triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER failed if applied to a partitioned table's foreign-key enforcement triggers, because it tried to locate the clone triggers for the partitions by name, and they do not have the same name. Locate them by parent-trigger OID instead.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position() or array_positions() is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char() (Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate() function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C (Jeff Davis)
This code got confused if the database's default collation uses ICU.
Avoid possible crash on empty input for type interval (Tom Lane)
Re-allow exponential notation in ISO-8601 interval fields (Tom Lane)
Interval input like P0.1e10D isn't officially sanctioned by ISO-8601, but we accepted it for a long time before version 15, so re-allow it.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)
Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.
Fix incorrect tests for whether a qual clause applied to a subquery can be transformed into a window aggregate “run condition” within the subquery (David Rowley)
A SubPlan within such a clause would cause assertion failures or incorrect answers, as would some other unusual cases.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[] constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE was done incorrectly, leading to possibly not returning rows in which boolcol is NULL. Also, the rather unlikely case of partitioning on NOT boolcol was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation = off (which is not the default).
Recalculate GENERATED columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED columns, in case they depend on columns that were changed by the concurrent update.
Fix memory leak in Memoize plan execution (David Rowley)
Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)
Restore support for sub-millisecond vacuum_cost_delay settings (Thomas Munro)
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...) with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT markers within a multi-row INSERT ... VALUES query on a view that has a DO ALSO INSERT ... SELECT rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD and NEW within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT/UPDATE/DELETE within WITH, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)
The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.
Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)
This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer according to the documentation, but the code had it as CommitTSBuffer. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Re-activate reporting of wait event SLRUFlushSync (Thomas Munro)
Reporting of this type of wait was accidentally removed in code refactoring.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size accurately.
Disable startup progress reporting overhead in standby mode (Bharath Rupireddy)
In standby mode, we don't actually report progress of recovery, but we were doing work to track it anyway.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Fix list_copy_head() to work correctly on an empty List (David Rowley)
This case is not known to be reached by any core PostgreSQL code, but extensions might rely on it working.
Add missing cases to SPI_result_code_string() (Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc() (Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Fix assertion failure for MERGE into a partitioned table with row-level security enabled (Dean Rasheed)
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range() when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll() (Michael Paquier)
With gssencmode set to require, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE option (Kyotaro Horiguchi)
When ecpg_get_data() is called with varcharsize set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE target tables before restoring into them when --load-via-partition-root mode is used. This avoids a hazard of deadlocks and lost data.
Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)
This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.
In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)
This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.
In contrib/amcheck's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)
In contrib/amcheck, deal sanely with xids that appear to be before epoch zero (Andres Freund)
In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.
In contrib/basebackup_to_shell, properly detect failure to open a pipe (Robert Haas)
In contrib/hstore_plpython, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen option of a GiST index on an ltree column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
In contrib/pageinspect, add defenses against incorrect input for the gist_page_items() function (Dmitry Koval)
Fix misbehavior in contrib/pg_trgm with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Fix handling of escape sequences in contrib/postgres_fdw's application_name parameter (Kyotaro Horiguchi, Michael Paquier)
The code to expand these could fail if executed in a background process, as for example during auto-analyze of a foreign table.
In contrib/pg_walinspect, limit memory usage of pg_get_wal_records_info() (Bharath Rupireddy)
Use the --strip-unneeded option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip used the -x option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock directory (Peter Eisentraut)
Place it under tmp_check in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.

New in PostgreSQL 15.1 (Nov 10, 2022)

Fix failure to remove non-first segments of large tables (Tom Lane)
PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.
Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern NNNN.NN. If there is no matching file named just NNNN (without the .NN suffix), these files should be removed manually.
Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN that are not ON SELECT (Tom Lane)
This avoids confusion between a view's ON SELECT rule and any other rules it may have.
Avoid failure in EXPLAIN VERBOSE for a query using SEARCH BREADTH FIRST with constant initial values (Tom Lane)
Prevent use of MERGE on a partitioned table with foreign-table partitions (Álvaro Herrera)
The case isn't supported, and previously threw an incomprehensible error.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION (Jehan-Guillaume de Rorthais, Álvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix planner failure with extended statistics on partitioned or inherited tables (Richard Guo, Justin Pryzby)
Some cases failed with “cache lookup failed for statistics object”.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION or DO command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Avoid double call of the shutdown callback of an archiver module (Nathan Bossart, Bharath Rupireddy)
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)
The single-row flag was not reset at the correct time if pipeline mode was also active.
Fix psql's exit status when a command-line query is canceled (Peter Eisentraut)
psql -c query would exit successfully if the query was canceled. Fix it to exit with nonzero status, as in other error cases.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
Fix pg_dump's failure to dump comments attached to some CHECK constraints (Tom Lane)
Fix CREATE DATABASE to allow its oid parameter to exceed 231 (Tom Lane)
This oversight prevented pg_upgrade from succeeding when the source installation contained databases with OIDs larger than that.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set() for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF to REF_P to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf, to avoid compile-time deprecation warnings (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz display. As an example, the stored value 1944-06-01 12:00 UTC would previously display as 1944-06-01 13:00:00+01 if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA and PACKRATLIST options).

New in PostgreSQL 15.0 (Oct 13, 2022)

New in PostgreSQL 14.5 (Aug 11, 2022)

Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place” tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE replay fix, which transiently creates a missing tablespace as an “in place” tablespace.
Fix permissions checks in CREATE INDEX (Nathan Bossart, Noah Misch)
The fix for CVE-2022-1552 caused CREATE INDEX to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress could report false before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)
Fix incorrect permissions-checking code for extended statistics (Richard Guo)
If there are extended statistics on a table that the user has only partial SELECT permissions on, some queries would fail with “unrecognized node type” errors.
Fix extended statistics machinery to handle MCV-type statistics on boolean-valued expressions (Tom Lane)
Statistics collection worked fine, but a query containing such an expression in WHERE would fail with “unknown clause type”.
Avoid planner core dump with constant = ANY(array) clauses when there are MCV-type extended statistics on the array variable (Tom Lane)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Allow cancellation of ANALYZE while it is computing extended statistics (Tom Lane, Justin Pryzby)
In some scenarios with high statistics targets, it was possible to spend many seconds in an un-cancellable sort operation.
Improve syntax error messages for type jsonpath (Andrew Dunstan)
Ensure that pg_stop_backup() cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix trim_array() to handle a zero-dimensional array argument sanely (Martin Kalcher)
Fix join alias matching in FOR [KEY] UPDATE/SHARE clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Reject ROW() expressions and functions in FROM that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
Fix dumping of a view using a function in FROM that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)
The replica identity columns have to be re-identified for the child partition.
Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Avoid assertion failure when min_dynamic_shared_memory is set to a non-default value (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit(), rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit() as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain() except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction() as a no-op. All known callers of SPI_commit() immediately call SPI_start_transaction(), so they will not notice any change. Similar remarks apply to SPI_rollback().
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Improve libpq's handling of idle states in pipeline mode (Álvaro Herrera, Kyotaro Horiguchi)
This fixes “message type 0x33 arrived from server while idle” warnings, as well as possible loss of end-of-query NULL results from PQgetResult().
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale() calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's watch command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix pg_upgrade to detect non-upgradable usages of functions taking anyarray (Justin Pryzby)
Version 14 changed some built-in functions to take type anycompatiblearray instead of anyarray. While this is mostly transparent, user-defined aggregates and operators built atop these functions have to be declared with exactly matching types. The presence of an object referencing the old signature will cause pg_upgrade to fail, so change it to detect and report such cases before beginning the upgrade.
Fix possible report of wrong error condition after clone() failure in pg_upgrade with --clone option (Justin Pryzby)
Fix contrib/pg_stat_statements to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
In contrib/postgres_fdw, prevent batch insertion when there are WITH CHECK OPTION constraints (Etsuro Fujita)
Such constraints cannot be checked properly if more than one row is inserted at a time.
Fix contrib/postgres_fdw to detect failure to send an asynchronous data fetch query (Fujii Masao)
Ensure that contrib/postgres_fdw sends constants of regconfig and other reg* types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate().
Detect unexpected EEXIST error from shm_open() (Thomas Munro)
This avoids a possible crash on Solaris.
Avoid using signalfd() on illumos systems (Thomas Munro)
This appears to trigger hangs and kernel panics, so avoid the function until a fix is available.

New in PostgreSQL 14.4 (Jun 17, 2022)

Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT that's referenced in a GROUPING function (Richard Guo)
Prevent pg_stat_get_subscription() from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Fix COPY FROM's error checking in the case where the database encoding is SQL_ASCII while the client's encoding is a multi-byte encoding (Heikki Linnakangas)
This mistake could lead to false complaints of invalidly-encoded input data.
Avoid crashing if too many column aliases are attached to an XMLTABLE or JSON_TABLE construct (Álvaro Herrera)
When decompiling a view or rule, show a SELECT output column's AS "?column?" alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.
Prevent crash after server connection loss in pg_amcheck (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to a crash.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)

New in PostgreSQL 14.3 (May 13, 2022)

A dump/restore is not required for those running 14.X.
However, if you have any GiST indexes on columns of type ltree (supplied by the contrib/ltree extension), you should re-index them after updating. See the second changelog entry below.
Also, if you are upgrading from a version earlier than 14.2, see Section E.2.
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.* in contexts other than the top level of a SELECT list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT, so that the whole-row variable is referring to the sub-SELECT's output and not to a plain table. Then the variable is of type record to begin with and there's no issue.
Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)
The new numeric-based code for EXTRACT() failed to yield results equivalent to the old float-based code, as a result of accidentally truncating the DAYS_PER_YEAR value to an integer.
Defend against pg_stat_get_replication_slot(NULL) (Andres Freund)
This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.
Fix incorrect output for types timestamptz and timetz in table_to_xmlschema() and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES clause with zero columns (Tom Lane)
Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)
Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.
Fix planner failure if a query using SEARCH or CYCLE features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)
When the name of the recursive WITH query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlist”.
Fix planner errors for GROUPING() constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION to support changing a function's parallelism property and its SET-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET clause.
Tighten lookup of the index “owned by” a constraint (Tom Lane, Japin Li)
Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE operations on tables having foreign key constraints.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.
Fix mis-sorting of table rows when CLUSTERing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)
The code path for building GiST indexes using sorting neglected to fsync the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.
Fix possible trouble in crash recovery after a TRUNCATE command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Re-allow underscore as the first character in a custom parameter name (Japin Li)
Such names were unintentionally disallowed in v14.
Add regress option for the compute_query_id parameter (Michael Paquier)
This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN output.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)
This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)
An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r----- or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy() function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy() would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput() returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult object, which is a much cleaner behavior for most applications.
Re-allow database.schema.table patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)
Versions before v14 silently ignored all but the schema and table fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw, disable batch insertion when BEFORE INSERT ... FOR EACH ROW triggers exist on the foreign table (Etsuro Fujita)
Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.
In contrib/postgres_fdw, verify that ORDER BY clauses are safe to ship before requesting a remotely-ordered query, and include a USING clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Fix configure to handle platforms that have sys/epoll.h but not sys/signalfd.h (Tom Lane)
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Do not add OpenSSL dependencies to libpq's pkg-config file when building without OpenSSL (Fabrice Fontaine)
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.

New in PostgreSQL 14.2 (Feb 10, 2022)

Bug Fixes and Improvements:
This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 14. Some of these issues may also affect other supported versions of PostgreSQL.
Included in this release:
Fix for a low probability scenario of index corruption when a HOT (heap-only tuple) chain changes state during VACUUM. Encountering this issue is unlikely, but if you are concerned, please consider reindexing.
Fix for using REINDEX CONCURRENTLY on TOAST table indexes to prevent corruption. You can fix any TOAST indexes by reindexing them again.
The psql password command now defaults to setting the password for the role defined by CURRENT_USER. Additionally, the role name is now included in the password prompt.
Build extended statistics for partitioned tables. If you previously added extended statistics to a partitioned table, you should run ANALYZE on those tables. As autovacuum currently does not process partitioned tables, you must periodically run ANALYZE on any partitioned tables to update their statistics.
Fix crash with ALTER STATISTICS when the statistics object is dropped concurrently.
Fix crash with multiranges when extracting variable-length data types.
Several fixes to the query planner that lead to incorrect query results.
Several fixes for query plan memoization.
Fix startup of a physical replica to tolerate transaction ID wraparound.
When using logical replication, avoid duplicate transmission of a partitioned table's data when the publication includes both the child and parent tables.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere.
Disallow ALTER TABLE ... DROP NOT NULL for a column that is part of a replica identity index.
Several fixes for caching that correct logical replication behavior and improve performance.
Fix memory leak when updating expression indexes.
Avoid leaking memory during REASSIGN OWNED BY operations that reassign ownership of many objects.
Fix display of whole-row variables appearing in INSERT ... VALUES rules.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib.
Fix psql d command for identifying parent triggers.
Fix failures on Windows when using the terminal as data source or destination. This affected the psql copy command and using pg_recvlogical with -f -.
Fix the pg_dump --inserts and --column-inserts modes to handle tables that contain both generated and dropped columns.
Fix edge cases in how postgres_fdw handles asynchronous queries. These errors could lead to crashes or incorrect results when attempting to run parallel scans of foreign tables.

New in PostgreSQL 14.1 (Nov 15, 2021)

Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Ensure that parallel VACUUM doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)
A parallel VACUUM would fail to process indexes that are below the min_parallel_index_scan_size cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix REINDEX CONCURRENTLY to preserve operator class parameters that were attached to the target index (Michael Paquier)
Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)
The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)
CREATE TYPE incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE command was stored in the plan cache and used again later.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED (David Christensen)
FETCH FIRST WITH TIES necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow ALTER INDEX index ALTER COLUMN col SET (options) (Nathan Bossart, Michael Paquier)
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power() (Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)
This error could result in crashes or incorrect query results.
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
If a function in FROM laterally references the output of some sub-SELECT earlier in the FROM clause, and we are able to flatten that sub-SELECT into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix “could not find RecursiveUnion” error when EXPLAIN tries to print a filter condition attached to a WorkTableScan node (Tom Lane)
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)
In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.
Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts() requests more quickly (Koyu Tanigawa)
Fix memory leak in HMAC hash calculations (Sergey Shinderuk)
Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix checking of query type in PL/pgSQL's RETURN QUERY statement (Tom Lane)
RETURN QUERY should accept any query that can return tuples, e.g. UPDATE RETURNING. v14 accidentally disallowed anything but SELECT; moreover, the RETURN QUERY EXECUTE variant failed to apply any query-type check at all.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)
This avoids unhelpful checks of relations that will almost certainly appear inconsistent.
Make contrib/amcheck skip unlogged tables when running on a standby server (Mark Dilger)
It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.
Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
When running a TAP test, include the module's own directory in PATH (Andrew Dunstan)
This allows tests to find built programs that are not installed, such as custom test drivers.
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

New in PostgreSQL 14.0 (Oct 1, 2021)

User-defined objects that reference certain built-in array functions along with their argument types must be recreated (Tom Lane)
Specifically, array_append(), array_prepend(), array_cat(), array_position(), array_positions(), array_remove(), array_replace(), and width_bucket() used to take anyarray arguments but now take anycompatiblearray. Therefore, user-defined objects like aggregates and operators that reference those array function signatures must be dropped before upgrading, and recreated once the upgrade completes.
Remove deprecated containment operators @ and ~ for built-in geometric data types and contrib modules cube, hstore, intarray, and seg (Justin Pryzby)
The more consistently named have been recommended for many years.
Fix to_tsquery() and websearch_to_tsquery() to properly parse query text containing discarded tokens (Alexander Korotkov)
Certain discarded tokens, like underscore, caused the output of these functions to produce incorrect tsquery output, e.g., both websearch_to_tsquery('"pg_class pg"') and to_tsquery('pg_class pg') used to output ( 'pg' & 'class' ) 'pg', but now both output 'pg' 'class' 'pg'.
Fix websearch_to_tsquery() to properly parse multiple adjacent discarded tokens in quotes (Alexander Korotkov)
Previously, quoted text that contained multiple adjacent discarded tokens was treated as multiple tokens, causing incorrect tsquery output, e.g., websearch_to_tsquery('"aaa: bbb"') used to output 'aaa' 'bbb', but now outputs 'aaa' 'bbb'.
Change EXTRACT() to return type numeric instead of float8 (Peter Eisentraut)
This avoids loss-of-precision issues in some usages. The old behavior can still be obtained by using the old underlying function date_part().
Also, EXTRACT(date) now throws an error for units that are not part of the date data type.
Change var_samp() and stddev_samp() with numeric parameters to return NULL when the input is a single NaN value (Tom Lane)
Previously NaN was returned.
Return false for has_column_privilege() checks on non-existent or dropped columns when using attribute numbers (Joe Conway)
Previously such attribute numbers returned an invalid-column error.
Fix handling of infinite window function ranges (Tom Lane)
Previously window frame clauses like 'inf' PRECEDING AND 'inf' FOLLOWING returned incorrect results.
Remove factorial operators ! and !!, as well as function numeric_fac() (Mark Dilger)
The factorial() function is still supported.
Disallow factorial() of negative numbers (Peter Eisentraut)
Previously such cases returned 1.
Remove support for postfix (right-unary) operators (Mark Dilger)
pg_dump and pg_upgrade will warn if postfix operators are being dumped.
Allow D and W shorthands to match newlines in regular expression newline-sensitive mode (Tom Lane)
Previously they did not match newlines in this mode, but that disagrees with the behavior of other common regular expression engines. [^[:digit:]] or [^[:word:]] can be used to get the old behavior.
Disregard constraints when matching regular expression back-references (Tom Lane)
For example, in (^d+).*1, the ^ constraint should be applied at the start of the string, but not when matching 1.
Disallow w as a range start or end in regular expression character classes (Tom Lane)
This previously was allowed but produced unexpected results.
Require custom server parameter names to use only characters that are valid in unquoted SQL identifiers (Tom Lane)
Change the default of the password_encryption server parameter to scram-sha-256 (Peter Eisentraut)
Previously it was md5. All new passwords will be stored as SHA256 unless this server setting is changed or the password is specified in MD5 format. Also, the legacy (and undocumented) Boolean-like values which were previously synonyms for md5 are no longer accepted.
Remove server parameter vacuum_cleanup_index_scale_factor (Peter Geoghegan)
This setting was ignored starting in PostgreSQL version 13.3.
Remove server parameter operator_precedence_warning (Tom Lane)
This setting was used for warning applications about PostgreSQL 9.5 changes.
Overhaul the specification of clientcert in pg_hba.conf (Kyotaro Horiguchi)
Values 1/0/no-verify are no longer supported; only the strings verify-ca and verify-full can be used. Also, disallow verify-ca if cert authentication is enabled since cert requires verify-full checking.
Remove support for SSL compression (Daniel Gustafsson, Michael Paquier)
This was already disabled by default in previous PostgreSQL releases, and most modern OpenSSL and TLS versions no longer support it.
Remove server and libpq support for the version 2 wire protocol (Heikki Linnakangas)
This was last used as the default in PostgreSQL 7.3 (released in 2002).
Disallow single-quoting of the language name in the CREATE/DROP LANGUAGE command (Peter Eisentraut)
Remove the composite types that were formerly created for sequences and toast tables (Tom Lane)
Process doubled quote marks in ecpg SQL command strings correctly (Tom Lane)
Previously 'abc''def' was passed to the server as 'abc'def', and "abc""def" was passed as "abc"def", causing syntax errors.
Prevent the containment operators () for intarray from using GiST indexes (Tom Lane)
Previously a full GiST index scan was required, so just avoid that and scan the heap, which is faster. Indexes created for this purpose should be removed.
Remove contrib program pg_standby (Justin Pryzby)
Prevent tablefunc's function normal_rand() from accepting negative values (Ashutosh Bapat)
Negative values produced undesirable results.

New in PostgreSQL 13.4 (Aug 15, 2021)

Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT or ROLLBACK within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT/ROLLBACK would fail with errors like “no known snapshots” or “missing chunk number 0 for toast value”.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE (Tom Lane)
This should be disallowed, just as FOR UPDATE with a plain GROUP BY is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH rewrites to just NOTIFY (Tom Lane)
Such cases previously crashed.
In numeric multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char() with EEEE format and a numeric input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint) to round negative values consistently with the way it rounds positive ones (and consistently with the numeric version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0) return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP to occur concurrently with DROP EXTENSION, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY (Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv and newdata.
Fix PREPARE TRANSACTION to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION.
Fix misbehavior of DROP OWNED BY when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY (Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY.
Re-allow old-style Windows locale names in CREATE COLLATION commands (Thomas Munro)
Previously we were failing because the operating system can't provide version information for such locales. At some point we may decide to require version information, but no such policy exists yet, so re-allow the case for now.
Disallow whole-row variables in GENERATED expressions (Tom Lane)
Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.
Fix usage of tableoid in GENERATED expressions (Tom Lane)
Some code paths failed to provide a valid value for this system column while evaluating a GENERATED expression.
Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN or ALTER DOMAIN appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity (Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings.pending_restart show as true when the pertinent entry in postgresql.conf has been removed (Álvaro Herrera)
pending_restart correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
On 64-bit Windows, allow the effective value of work_mem times hash_mem_multiplier to exceed 2GB (Tom Lane)
This allows hash_mem_multiplier to be used for its intended purpose of preventing large hash aggregations from spilling to disk, even when “large” means multiple gigabytes.
Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)
SELECT FOR UPDATE and related commands would fail with assertion failures or “could not find junk column” errors in such cases.
Fix pullup of constant function-in-FROM results when the FROM item is marked LATERAL (Tom Lane)
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
Advance oldest-required-WAL-segment horizon properly after a replication slot is invalidated (Kyotaro Horiguchi)
If all slots were invalidated, the horizon would not move again, eventually allowing the server's WAL storage to run out of space.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix assorted crash cases in logical replication of partitioned-table updates (Amit Langote, Tom Lane)
Fix potential crash when firing AFTER triggers of partitioned tables in logical replication workers (Tom Lane)
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Fix memory leak in logical replication output (Amit Langote)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE (Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix race condition when invalidating an obsolete replication slot concurrently with an attempt to drop or update it (Andres Freund, Álvaro Herrera)
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Harden B-tree posting list split code against corrupt data (Peter Geoghegan)
Throw an error, rather than crashing, for an attempt to insert an item with a TID identical to an existing entry. While that shouldn't ever happen, it has been reported to happen when the index is inconsistent with its table.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO clause specified STRICT, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID value (Bertrand Drouvot)
Previously, the new installation's oldestXID was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
Fix contrib/postgres_fdw to work usefully with generated columns (Etsuro Fujita)
postgres_fdw will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA will now import generated columns that way by default.
In contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL) print (null) instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED record (Simon Riggs)
Improve ALTER TABLE's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r library (Adrian Ho, Tom Lane)
If there is no libldap_r library, we now silently assume that libldap is thread-safe.
Add new make targets world-bin and install-world-bin (Andrew Dunstan)
These are the same as world and install-world respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)

New in PostgreSQL 13.1 (Nov 14, 2020)

Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d parameter of pg_dump and pg_restore, or the --maintenance-db parameter of the other programs mentioned, can be a “connection string” containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. (CVE-2020-25694)
When psql's connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. (CVE-2020-25694)
Prevent psql's gset command from modifying specially-treated variables (Noah Misch)
gset without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. (CVE-2020-25696)
Fix unintended breakage of the replication protocol (Álvaro Herrera)
A walsender reports two command-completion events for START_REPLICATION. This was undocumented and apparently unintentional; so we failed to notice that a late 13.0 change removed the duplicate event. However it turns out that walreceivers require the extra event in some code paths. The most practical fix is to decree that the extra event is part of the protocol and resume generating it.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE for users with the BYPASSRLS attribute (Tom Lane, Stephen Frost)
The BYPASSRLS attribute is only allowed to be changed by superusers, but other ALTER ROLE operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Disallow ALTER TABLE ONLY ... DROP EXPRESSION when there are child tables (Peter Eisentraut)
The current implementation cannot handle this case correctly, so just forbid it for now.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER does not recurse to child tables (Álvaro Herrera)
Previously the ONLY flag was ignored.
Allow LOCK TABLE to succeed on a self-referential view (Tom Lane)
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
Retain statistics about an index across REINDEX CONCURRENTLY (Michael Paquier, Fabrízio de Royes Mello)
Non-concurrent reindexing has always preserved such statistics.
Fix incorrect progress reporting from REINDEX CONCURRENTLY (Matthias van de Meent, Michael Paquier)
Ensure that GENERATED columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)
This fix also takes care of possible failure to fire a column-specific trigger in such cases.
Fix failures with collation-dependent partition bound expressions (Tom Lane)
Support hashing of text arrays (Peter Eisentraut)
Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.
Prevent internal overflows in cross-type datetime comparisons (Nikita Glukhov, Alexander Korotkov, Tom Lane)
Previously, comparing a date to a timestamp would fail if the date is past the valid range for timestamps. There were also corner cases involving overflow of close-to-the-limit timestamp values during timezone rotation.
Fix off-by-one conversion of negative years to BC dates in to_date() and to_timestamp() (Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC” marker to cancel out and produce AD.
Allow the jsonpath .datetime() method to accept ISO 8601-format timestamps (Nikita Glukhov)
This is not required by SQL, but it seems appropriate since our to_json() functions generate that timestamp format for Javascript compatibility.
Ensure that standby servers will archive WAL timeline history files when archive_mode is set to always (Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix edge cases in detecting premature death of the postmaster on platforms that use kqueue() (Thomas Munro)
Avoid generating an incorrect incremental-sort plan when the sort key is a volatile expression (James Coleman)
Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)
Fix possible infinite loop or corrupted output data in TOAST decompression (Tom Lane)
Fix counting of the number of entries in B-tree indexes during cleanup-only VACUUMs (Peter Geoghegan)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNN”. (If you are faced with such an error from an existing index, REINDEX should be enough to fix it.)
Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)
Fix unportable use of getnameinfo() in pg_hba_file_rules view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address and netmask columns were always null due to this error.
Avoid crash if debug_query_string is NULL when starting a parallel worker (Noah Misch)
Avoid failures when a BEFORE ROW UPDATE trigger returns the “old” row of a table having dropped or “missing” columns (Amit Langote, Tom Lane)
This method of suppressing an update could result in crashes, unexpected CHECK constraint failures, or incorrect RETURNING output, because “missing” columns would read as NULLs for those purposes. (A column is “missing” for this purpose if it was added by ALTER TABLE ADD COLUMN with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.
Fix EXPLAIN's output for incremental sort plans to have correct tag nesting in XML output mode (Daniel Gustafsson)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix omission of result data type coercion in some cases in SQL-language functions (Tom Lane)
This could lead to wrong results or crashes, depending on the data types involved.
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)
This has been shown to cause crashes on s390x, and very possibly there are other cases on other platforms.
Improve code generated for compare_exchange and fetch_add operations on PPC (Noah Misch)
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix edge-case memory leak in index_get_partition() (Justin Pryzby)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Fix memory leaks in PL/pgsql's CALL processing (Pavel Stehule, Tom Lane)
In libpq for Windows, call WSAStartup() once per process and WSACleanup() not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup() at connection start and WSACleanup() at connection cleanup. However, it appears that calling WSACleanup() can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
Fix ecpg's mis-processing of B'...' and X'...' literals (Shenhao Wang)
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (Fabrízio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts, or underspecified (though usually correct) COPY commands when using COPY to reload the tables' data.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto (Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto (Daniel Gustafsson)
Fix recently-added timetz test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat” to “slim”. That's just cosmetic for our purposes, as we continue to select the “fat” mode in pre-v13 branches. This change also ensures that strftime() does not change errno unless it fails.

New in PostgreSQL 13.0 (Sep 25, 2020)

New in PostgreSQL 11.4 (Jun 20, 2019)

Fix buffer-overflow hazards in SCRAM verifier parsing (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could suffice for executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue server to crash a client or perhaps execute arbitrary code as the client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2019-10164)
Fix assorted errors in run-time partition pruning logic (Tom Lane, Amit Langote, David Rowley)
These mistakes could lead to wrong answers in queries on partitioned tables, if the comparison value used for pruning is dynamically determined, or if multiple range-partitioned columns are involved in pruning decisions, or if stable (not immutable) comparison operators are involved.
Fix possible crash while trying to copy trigger definitions to a new partition (Tom Lane)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)
Fix failure of COMMENT command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
Prevent possible memory clobber when there are duplicate columns in a hash aggregate's hash key list (Andrew Gierth)
Fix incorrect argument null-ness checking during partial aggregation of aggregates with zero or multiple arguments (David Rowley, Kyotaro Horiguchi, Andres Freund)
Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to “could not find pathkey item to sort” errors.
Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
Fix conversion of JSON string literals to JSON-type output columns in json_to_record() and json_populate_record() (Tom Lane)
Such cases should produce the literal as a standalone JSON value, but the code misbehaved if the literal contained any characters requiring escaping.
Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
Avoid writing an invalid empty btree index page in the unlikely case that a failure occurs while processing INCLUDEd columns during a page split (Peter Geoghegan)
The invalid page would not affect normal index operations, but it might cause failures in subsequent VACUUMs. If that has happened to one of your indexes, recover by reindexing the index.
Avoid possible failures while initializing a new process's pg_stat_activity data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity data.
Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
Fix unsafe coding in walreceiver's signal handler (Tom Lane)
This avoids rare problems in which the walreceiver process would crash or deadlock when commanded to shut down.
Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like “cannot read pg_class without having selected a database”.
Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.
Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.
Fix ordering of GRANT commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)
If cascading grants had been issued, restore might fail due to the GRANT commands being given in an order that didn't respect their interdependencies.
Make pg_dump recreate table partitions using CREATE TABLE then ATTACH PARTITION, rather than including PARTITION OF in the creation command (Álvaro Herrera, David Rowley)
This avoids problems with the partition's column order possibly being changed to match the parent's. Also, a partition is now restorable from the dump (as a standalone table) even if its parent table isn't restored; the ATTACH will fail, but that can just be ignored.
Fix misleading error reports from reindexdb (Julien Rouhaud)
Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
Fix contrib/auto_explain to not cause problems in parallel queries (Tom Lane)
Previously, a parallel worker might try to log its query even if the parent query were not being logged by auto_explain. This would work sometimes, but it's confusing, and in some cases it resulted in failures like “could not find key N in shm TOC”.
Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.
On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
Make PL/pgSQL's header files C++-safe (George Tarasov)

New in PostgreSQL 11.2 (Mar 19, 2019)

By default, panic instead of retrying after fsync() failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as fsync() failure. If we reissue the fsync() request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.
Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
Fix handling of unique indexes with INCLUDE columns on partitioned tables (Álvaro Herrera)
The uniqueness condition was not checked properly in such cases.
Ensure that NOT NULL constraints of a partitioned table are honored within its partitions (Álvaro Herrera, Amit Langote)
Update catalog state correctly for partition table constraints when detaching their partition (Amit Langote, Álvaro Herrera)
Previously, the pg_constraint.conislocal field for such a constraint might improperly be left as false, rendering it undroppable. A dump/restore or pg_upgrade would cure the problem, but if necessary, the catalog field can be adjusted manually.
Create or delete foreign key enforcement triggers correctly when attaching or detaching a partition in a partitioned table that has a foreign-key constraint (Amit Langote, Álvaro Herrera)
Avoid useless creation of duplicate foreign key constraints in partitioned tables (Álvaro Herrera)
When an index is created on a partitioned table using ONLY, and there are no partitions yet, mark it valid immediately (Álvaro Herrera)
Otherwise there is no way to make it become valid.
Use a safe table lock level when detaching a partition (Álvaro Herrera)
The previous locking level was too weak and might allow concurrent DDL on the table, with bad results.
Fix problems with applying ON COMMIT DROP and ON COMMIT DELETE ROWS to partitioned tables and tables with inheritance children (Michael Paquier)
Disallow COPY FREEZE on partitioned tables (David Rowley)
This should eventually be made to work, but it may require a patch that's too complicated to risk back-patching.
Fix possible index corruption when the indexed column has a “fast default” (that is, it was added by ALTER TABLE ADD COLUMN with a constant non-NULL default value specified, after the table already contained some rows) (Andres Freund)
Correctly adjust “fast default” values during ALTER TABLE ... ALTER COLUMN TYPE (Andrew Dunstan)
Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
Avoid deadlock between GIN vacuuming and concurrent index insertions (Alexander Korotkov, Andrey Borodin, Peter Geoghegan)
This change partially reverts a performance improvement, introduced in version 10.0, that attempted to reduce the number of index pages locked during deletion of a GIN posting tree page. That's now been found to lead to deadlocks, so we've removed it pending closer analysis.
Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
Prevent incorrect use of WAL-skipping optimization during COPY to a view or foreign table (Amit Langote, Michael Paquier)
Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
Fix possible crash in UPDATE with a multiple SET clause using a sub-SELECT as source (Tom Lane)
Fix crash when zero rows are fed to json[b]_populate_recordset() or json[b]_to_recordset() (Tom Lane)
Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
Fix incorrect JIT tuple deforming code for tables with many columns (more than approximately 800) (Andres Freund)
Fix performance and memory leakage issues in hash-based grouping (Andres Freund)
Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
Fix parsing of collation-sensitive expressions in the arguments of a CALL statement (Peter Eisentraut)
Ensure proper cleanup after detecting an error in the argument list of a CALL statement (Tom Lane)
Check whether the comparison function underlying LEAST() or GREATEST() is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
Fix incorrect planning of queries involving nested loops both above and below a Gather plan node (Tom Lane)
If both levels of nestloop needed to pass the same variable into their right-hand sides, an incorrect plan would be generated.
Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
Fix planner failure when the first column of a row comparison matches an index column, but later column(s) do not, and the index has included (non-key) columns (Tom Lane)
Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
Avoid O(N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
Improve planning speed for large inheritance or partitioning table groups (Amit Langote, Etsuro Fujita)
Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.
Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.
Fix TRUNCATE to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
Process ALTER TABLE ONLY ADD COLUMN IF NOT EXISTS correctly (Greg Stark)
Allow UNLISTEN in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
Prevent use of a session's temporary schema within a two-phase transaction (Michael Paquier)
Accessing a temporary table within such a transaction has been forbidden for a long time, but it was still possible to cause problems with other operations on temporary objects.
Ensure relation caches are updated properly after adding or removing foreign key constraints (Álvaro Herrera)
This oversight could result in existing sessions failing to enforce a newly-created constraint, or continuing to enforce a dropped one.
Ensure relation caches are updated properly after renaming constraints (Amit Langote)
Fix replay of GiST index micro-vacuum operations so that concurrent hot-standby queries do not see inconsistent state (Alexander Korotkov)
Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
Fix parsing of space-separated lists of host names in the ldapserver parameter of LDAP authentication entries in pg_hba.conf (Thomas Munro)
When making a PAM authentication request, don't set the PAM_RHOST variable if the connection is via a Unix socket (Thomas Munro)
Previously that variable would be set to [local], which is at best unhelpful, since it's supposed to be a host name.
Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.
Fix ecpglib to use uselocale() or _configthreadlocale() in preference to setlocale() (Michael Meskes, Tom Lane)
Since setlocale() is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
Fix psql's g target meta-command to work with COPY TO STDOUT (Daniel Vérité)
Previously, the target option was ignored, so that the copy data always went to the current query output target.
Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
Make pgbench's random number generation fully deterministic and platform-independent when --random-seed=N is specified (Fabien Coelho, Tom Lane)
On any specific platform, the sequence obtained with a particular value of N will probably be different from what it was before this patch.
Fix pg_basebackup and pg_verify_checksums to ignore temporary files appropriately (Michael Banck, Michael Paquier)
Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about “archive items not in correct section order”; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.
Make pg_dump include ALTER INDEX SET STATISTICS commands (Michael Paquier)
When the ability to attach statistics targets to index expressions was added, we forgot to teach pg_dump about it, so that such settings were lost in dump/reload.
Fix pg_dump's dumping of tables that have OIDs (Peter Eisentraut)
The WITH OIDS clause was omitted if it needed to be applied to the first table to be dumped.
Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
Prevent false index-corruption reports from contrib/amcheck caused by inline-compressed data (Peter Geoghegan)
Properly disregard SIGPIPE errors if COPY FROM PROGRAM stops reading the program's output early (Tom Lane)
This case isn't actually reachable directly with COPY, but it can happen when using contrib/file_fdw.
Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)
In configure, look for python3 and then python2 if python isn't found (Peter Eisentraut)
This allows PL/Python to be configured without explicitly specifying PYTHON on platforms that no longer provide an unversioned python executable.
Include JIT-related headers in the installed set of header files (Donald Dong)
Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
Fix Perl-coded build scripts to not assume “.” is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
Fix server command-line option parsing problems on OpenBSD (Tom Lane)
Relocate call of set_rel_pathlist_hook so that extensions can use it to supply partial paths for parallel queries (KaiGai Kohei)
This is not expected to affect existing use-cases.
Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.

New in PostgreSQL 11.0 (Oct 25, 2018)

New in PostgreSQL 10.5 (Aug 9, 2018)

CVE-2018-10915: Certain host connection parameters defeat client-side security defenses:
libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the dblink or postgres_fdw extensions, to login to servers they should not be able to access.
You can check if your database has either extension installed by running the following from your PostgreSQL shell: dx dblink|postgres_fdw
Users are advised to upgrade their libpq installations as soon as possible.
The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.
CVE-2018-10925: Memory disclosure and missing authorization in INSERT ... ON CONFLICT DO UPDATE:
An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (INSERT ... ON CONFLICT DO UPDATE) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.
BUG FIXES AND IMPROVEMENTS:
This update also fixes over 40 bugs reported in the last several months. Some of these issues affect only version 10, but many affect all supported versions.
These fixes include:
Several fixes related to VACUUM, including an issue that could lead to data corruption in certain system catalog tables
Several fixes for replaying write-ahead logs, including a case where a just-promoted standby server would not restart if it crashed before its first post-recovery checkpoint
Several performance improvements for replaying write-ahead logs
Several fixes for logical replication and logical decoding, including ensuring logical WAL senders are reporting the streaming state correctly
Allow replication slots to be dropped in single-user mode
Fix to have variance and similar aggregate functions return accurate results when executed using parallel query
Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects
Fix to ensure that a process doing a parallel index scan will respond to signals, such as one to abort a query
Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers
Several fixes for the query planner including improving the cost estimates for hash-joins and choosing to use indexes for mergejoins on composite type columns
Fix performance regression related to POSIX semaphores for multi-CPU systems running Linux or FreeBSD
Fix for GIN indexes that could lead to an assertion failure after a pg_upgrade from a version before PostgreSQL 9.4
Fix for SHOW ALL to display superuser configuration settings to roles that are allowed to read all settings
Fix issue where COPY FROM .. WITH HEADER would drop a line after every 4,294,967,296 lines processed
Several fixes for XML support, including using the document node as the context for XPath queries as defined in the SQL standard, which affects the xpath and xpath_exists functions, as well as XMLTABLE
Fix libpq for certain cases where hostaddr is used
Several ecpg fixes for Windows
Fix password prompting in Windows client programs so that echo is properly disabled
Several pg_dump fixes, including correctly outputting REPLICA IDENTITY properties for constraint indexes
Make pg_upgrade check that the old server was shut down cleanly

New in PostgreSQL 10.4 (May 11, 2018)

Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function (Stephen Frost)
Fix incorrect volatility markings on a few built-in functions (Thomas Munro, Tom Lane)
Avoid re-using TOAST value OIDs that match dead-but-not-yet-vacuumed TOAST entries (Pavan Deolasee)
Correctly enforce any CHECK constraints on individual partitions during COPY to a partitioned table (Etsuro Fujita)
Accept TRUE and FALSE as partition bound values (Amit Langote)
Fix memory management for partition key comparison functions (Álvaro Herrera, Amit Langote)
Fix possible crash when a query inserts tuples in several partitions of a partitioned table, and those partitions don't have identical row types (Etsuro Fujita, Amit Langote)
Change ANALYZE's algorithm for updating pg_class.reltuples (David Gould)
Include extended-statistics objects in the set of table properties duplicated by CREATE TABLE ... LIKE ... INCLUDING ALL (David Rowley)
Fix CREATE TABLE ... LIKE with bigint identity columns (Peter Eisentraut)
Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation (Tom Lane)
Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY (Thomas Munro)
Fix UPDATE/DELETE ... WHERE CURRENT OF to not fail when the referenced cursor uses an index-only-scan plan (Yugo Nagata, Tom Lane)
Fix incorrect planning of join clauses pushed into parameterized paths (Andrew Gierth, Tom Lane)
Fix possibly incorrect generation of an index-only-scan plan when the same table column appears in multiple index columns, and only some of those index columns use operator classes that can return the column value (Kyotaro Horiguchi)
Fix misoptimization of CHECK constraints having provably-NULL subclauses of top-level AND/OR conditions (Tom Lane, Dean Rasheed)
Prevent planner crash when a query has multiple GROUPING SETS, none of which can be implemented by sorting (Andrew Gierth)
Fix executor crash due to double free in some GROUPING SET usages (Peter Geoghegan)
Fix misexecution of self-joins on transition tables (Thomas Munro)
Avoid crash if a table rewrite event trigger is added concurrently with a command that could call such a trigger (Álvaro Herrera, Andrew Gierth, Tom Lane)
Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction (Stas Kelvich)
Fix query-lifespan memory leakage in repeatedly executed hash joins (Tom Lane)
Fix possible leak or double free of visibility map buffer pins (Amit Kapila)
Avoid spuriously marking pages as all-visible (Dan Wood, Pavan Deolasee, Álvaro Herrera)
Fix overly strict sanity check in heap_prepare_freeze_tuple (Álvaro Herrera)
Prevent dangling-pointer dereference when a C-coded before-update row trigger returns the “old” tuple (Rushabh Lathia)
Reduce locking during autovacuum worker scheduling (Jeff Janes)
Ensure client hostname is copied while copying pg_stat_activity data to local memory (Edmund Horner)
Handle pg_stat_activity information for auxiliary processes correctly (Edmund Horner)
Fix incorrect processing of multiple compound affixes in ispell dictionaries (Arthur Zakirov)
Fix collation-aware searches (that is, indexscans using inequality operators) in SP-GiST indexes on text columns (Tom Lane)
Prevent query-lifespan memory leakage with SP-GiST operator classes that use traversal values (Anton Dignös)
Count the number of index tuples correctly during initial build of an SP-GiST index (Tomas Vondra)
Count the number of index tuples correctly during vacuuming of a GiST index (Andrey Borodin)
Fix a corner case where a streaming standby gets stuck at a WAL continuation record (Kyotaro Horiguchi)
In logical decoding, avoid possible double processing of WAL data when a walsender restarts (Craig Ringer)
Fix logical replication to not assume that type OIDs match between the local and remote servers (Masahiko Sawada)
Allow scalarltsel and scalargtsel to be used on non-core datatypes (Tomas Vondra)
Reduce libpq's memory consumption when a server error is reported after a large amount of query output has been collected (Tom Lane)
Fix double-free crashes in ecpg (Patrick Krecker, Jeevan Ladhe)
Fix ecpg to handle long long int variables correctly in MSVC builds (Michael Meskes, Andrew Gierth)
Fix mis-quoting of values for list-valued GUC variables in dumps (Michael Paquier, Tom Lane)
Fix pg_recvlogical to not fail against pre-v10 PostgreSQL servers (Michael Paquier)
Ensure that pg_rewind deletes files on the target server if they are deleted from the source server during the run (Takayuki Tsunakawa)
Fix pg_rewind to handle tables in non-default tablespaces correctly (Takayuki Tsunakawa)
Fix overflow handling in PL/pgSQL integer FOR loops (Tom Lane)
Adjust PL/Python regression tests to pass under Python 3.7 (Peter Eisentraut)
Support testing PL/Python and related modules when building with Python 3 and MSVC (Andrew Dunstan)
Fix errors in initial build of contrib/bloom indexes (Tomas Vondra, Tom Lane)
Rename internal b64_encode and b64_decode functions to avoid conflict with Solaris 11.4 built-in functions (Rainer Orth)
Sync our copy of the timezone library with IANA tzcode release 2018e (Tom Lane)
Update time zone data files to tzdata release 2018d for DST law changes in Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.

New in PostgreSQL 10.3 (Mar 5, 2018)

New in PostgreSQL 10.2 (Feb 9, 2018)

Security Issues:
CVE-2018-1052: Fix the processing of partition keys containing multiple expressions
CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are non-world-readable
Bug Fixes and Improvements:
Fix crash and potential disclosure of backend memory when processing partition keys containing multiple expressions
Fix potential disclosure of temporary files containing database passwords created by pg_upgrade by not allowing these files to be world-accessible
Fix cases where VACUUM would not remove dead rows if they were updated while "key-share" locked, leading to potential data corruption
Fix for GIN indexes to prevent bloat by ensuring the pending-insertions list is cleaned up by VACUUM
Fix potential index corruption with hash indexes due to failure to mark metapages as dirty
Fix several potential crash scenarios for parallel queries, including when a bitmap heap scan cannot allocate memory
Fix several potential hang-ups in parallel queries, including when a parallel worker fails to start
Fix collection of EXPLAIN statistics from parallel workers
Prevent fake deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY
Fix for trigger behavior when using logical replication
Several fixes for "walsender" functionality to improve stability as well as visibility into the replication process
Fix logical decoding to correctly clean up disk files for crashed transactions
Several fixes for identity columns, including disallowing identity columns on tables derived from composite types and partitions
Fix handling of list partitioning constraints for partition keys of boolean and array types
Fix incorrectly generated plans for UPDATE and DELETE queries when a table has a mix of inherited regular and foreign child tables
Fix incorrect query results from cases involving GROUPING SETS when used with flattened subqueries
Fix UNION/INTERSECT/EXCEPT over zero columns, e.g. "SELECT UNION SELECT;"
Several fixes for subqueries within a LATERAL subquery
Several improvements for query planning estimation
Allow a client that supports SCRAM channel binding, such as a future version of PostgreSQL or libpq, to connect to a PostgreSQL 10 server
Fix sample INSTR() functions used to help transition from Oracle(r) PL/SQL to PostgreSQL PL/pgSQL to correctly match Oracle functional behavior
Fix pg_dump to make permissions (ACL), security label, and comment entries reliably identifiable in archive outputs
Modify behavior for contrib/cube's "cube ~> int" operator to make it compatible with KNN search. This is a backwards incompatible change and any expression indexes or materialized views using this operator will need to be reindexed and refreshed, respectively.
Several fixes in contrib/postgres_fdw to prevent query planner errors
Added modern examples of auto-start scripts for PostgreSQL on macOS in the contrib/start-scripts/macos directory
Several fixes for Windows, including postmaster startup and compatibility with libperl
Spinlock fixes and support for Motorola 68K and 88K architectures
This update also contains tzdata release 2018c, with updates for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for "America/Los_Angeles" anyway).

New in PostgreSQL 10.1 (Nov 24, 2017)

Three security vulnerabilities have been fixed by this release:
CVE-2017-12172: Start scripts permit database administrator to modify root-owned files
CVE-2017-15098: Memory disclosure in JSON functions
CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges
Bug Fixes and Improvements:
Fix a race condition in BRIN indexing that could cause some rows to not be included in the indexing.
Fix crash when logical decoding is invoked from a PL language function.
Several fixes for logical replication.
Restored behavior for CTEs attached to INSERT/UPDATE/DELETE statements to pre-version 10.
Prevent low-probability crash in processing of nested trigger firings.
Do not evaluate an aggregate function's argument expressions when the conditions in the FILTER clause evaluate to FALSE. This complies with SQL-standard behavior.
Fix incorrect query results when multiple GROUPING SETS columns contain the same simple variable.
Fix memory leak over the lifespan of a query when evaluating a set-returning function from the target list in a SELECT.
Several fixes for parallel query execution, including fixing a crash in the parallel execution of certain queries that contain a certain type of bitmap scan.
Fix json_build_array(), json_build_object(), jsonb_build_array(), and jsonb_build_object() to handle explicit VARIADIC arguments correctly.
Prevent infinite float values from being casted to the numeric type.
Fix autovacuum's “work item” logic to prevent possible crashes and silent loss of work items.
Several fixes for VIEWs around adding columns to the end of a view.
Fix for hashability detection of range data types that are created by a user.
Improvements on using extended statistics on columns for the purposes of query planning.
Prevent idle_in_transaction_session_timeout from being ignored when a statement_timeout occurred earlier.
Fix low-probability loss of NOTIFY messages due more than 2 billion transactions processing before any queries are executed in the session.
Several file system interaction fixes.
Correctly restore the umask setting when file creation fails in COPY or lo_export().
Fix pg_dump to ensure that it emits GRANT commands in a valid order.
Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing to help improve Windows compatibility.
Fix libpq to not require user's home directory to exist when trying to read the "~/.pgpass" file.
Several fixes for ecpg.
This update also contains tzdata release 2017c, with updates for Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.

New in PostgreSQL 10.0 (Oct 5, 2017)

Logical Replication - A publish/subscribe framework for distributing data:
Logical replication extends the current replication features of PostgreSQL with the ability to send modifications on a per-database and per-table level to different PostgreSQL databases. Users can now fine-tune the data replicated to various database clusters and will have the ability to perform zero-downtime upgrades to future major PostgreSQL versions.
"We have been heavily using PostgreSQL since 9.3 and are very excited about version 10 since it brings basis for long-awaited partitioning and built-in logical replication. It will allow us to use PostgreSQL in even more services," said Vladimir Borodin, DBA Team Lead at Yandex.
Declarative Table Partitioning - Convenience in dividing your data:
Table partitioning has existed for years in PostgreSQL but required a user to maintain a nontrivial set of rules and triggers for the partitioning to work. PostgreSQL 10 introduces a table partitioning syntax that lets users easily create and maintain range and list partitioned tables. The addition of the partitioning syntax is the first step in a series of planned features to provide a robust partitioning framework within PostgreSQL.
Improved Query Parallelism - Quickly conquer your analysis:
PostgreSQL 10 provides better support for parallelized queries by allowing more parts of the query execution process to be parallelized. Improvements include additional types of data scans that are parallelized as well as optimizations when the data is recombined, such as pre-sorting. These enhancements allow results to be returned more quickly.
Quorum Commit for Synchronous Replication - Distribute data with confidence:
PostgreSQL 10 introduces quorum commit for synchronous replication, which allows for flexibility in how a primary database receives acknowledgement that changes were successfully written to remote replicas. An administrator can now specify that if any number of replicas has acknowledged that a change to the database has been made, then the data can be considered safely written.
"Quorum commit for synchronous replication in PostgreSQL 10 gives more options to extend our ability to promote database infrastructure with nearly zero downtime from the application perspective. This allows us to continuously deploy and update our database infrastructure without incurring long maintenance windows," said Curt Micol, Staff Infrastructure Engineer at Simple Finance.
SCRAM-SHA-256 authentication - Secure your data access:
The Salted Challenge Response Authentication Mechanism (SCRAM) defined in RFC5802 defines a protocol to improve upon the secure storage and transmission of passwords by providing a framework for strong password negotiation. PostgreSQL 10 introduces the SCRAM-SHA-256 authentication method, defined in RFC7677, to provide better security than the existing MD5-based password authentication method.

New in PostgreSQL 10.0 RC 1 (Sep 29, 2017)

New in PostgreSQL 9.6.5 (Sep 1, 2017)

New in PostgreSQL 10.0 Beta 3 (Aug 11, 2017)

New in PostgreSQL 9.6.4 (Aug 11, 2017)

Three security vulnerabilities have been closed by this release:
CVE-2017-7546: Empty password accepted in some authentication methods
CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
CVE-2017-7548: lo_put() function ignores ACLs
Bug Fixes and Improvements:
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only version 9.6, but many affect all supported versions:
pg_upgrade: corrected the documentation about the process for upgrading standby servers to ensure the primary and standbys synchronized safely. Also includes a fix to ensure the last WAL record does not have "wal_level = minimum" which would prevent standbys from connecting upon restart
Fix for issue with a concurrent locking race condition that could cause some of the updates to fail
Several fixes for low probability data corruption scenarios
Fix to prevent crash when sorting more than one billion tuples in-memory
Fix on Windows to retry creating a process if shared memory addresses could not be allocated, typically caused from antivirus software interference
Fix in libpq to ensure that failed connection attempts using GSS/SASL and SSPI authentication are reset properly
Fixes for SSL connection handling and logging
Fix to allow window functions to be used in sub-SELECT statements that are within the arguments of an aggregate function
Allow parallelism in the query plan when COPY when copying from a query
Several fixes to ALTER TABLE
Fix to ensure that ALTER USER ... SET and ALTER ROLE ... SET accepts the same syntax variants
Fixes for the statistics collector, ensuring statistics requests made just after a postmaster shutdown request will be written to disk
Fix possible creation of an invalid WAL segment during standby promotion
Several walsender / walreceiver fixes, particularly around signal handling and shutdowns / restarts
Several logic decoding fixes, including removing leakage of small subtransactions to disk
Allow a CHECK constraints to be initially NOT VALID when executing CREATE FOREIGN TABLE
Fixes to postgres_fdw for applying changes promptly after ALTER SERVER / ALTER USER MAPPING commands and improving ability to escape from an unresponsive server
Several fixes for pg_dump and pg_restore, including a fix for pg_dump output to stdout on Windows
Fix pg_basebackup output to stdout on Windows, similar to the fix for pg_dump
Fix pg_rewind to correctly handle files exceeding 2GB, though files of such size should rarely appear in a data directory
Several fixes for building PostgreSQL with Microsoft Visual C (MSVC), primarily around sourcing libraries

New in PostgreSQL 9.6.3 (May 11, 2017)

Changes:
Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)
Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)
Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)
Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index (Tom Lane)
Prevent delays in postmaster's launching of multiple parallel worker processes (Tom Lane)
Fix postmaster's handling of fork() failure for a background worker process (Tom Lane)
Fix possible "no relation entry for relid 0" error when planning nested set operations (Tom Lane)
Fix assorted minor issues in planning of parallel queries (Robert Haas)
Avoid applying "physical targetlist" optimization to custom scans (Dmitry Ivanov, Tom Lane)
Use the correct sub-expression when applying a FOR ALL row-level-security policy (Stephen Frost)
Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
Avoid dangling pointer in COPY ... TO when row-level security is active for the source table (Tom Lane)
Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL (Tom Lane)
Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
Fix incorrect support for certain box operators in SP-GiST (Nikita Glukhov)
Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)
Fix cursor_to_xml() to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)
Fix roundoff problems in float8_timestamptz() and make_interval() (Tom Lane)
Fix pg_get_object_address() to handle members of operator families correctly (Álvaro Herrera)
Fix cancelling of pg_stop_backup() when attempting to stop a non-exclusive backup (Michael Paquier, David Steele)
Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
Reduce memory management overhead for contexts containing many large blocks (Tom Lane)
Fix sloppy handling of corner-case errors from lseek() and close() (Tom Lane)
Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
Fix pgbench to handle the combination of --connect and --rate options correctly (Fabien Coelho)
Fix pgbench to honor the long-form option spelling --builtin, as per its documentation (Tom Lane)
Fix pg_dump/pg_restore to correctly handle privileges for the public schema when using --clean option (Stephen Frost)
In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
Fix typo in pg_dump's query for initial privileges of a procedural language (Peter Eisentraut)
Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Improve error handling in contrib/adminpack's pg_file_write() function (Noah Misch)
In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)
In contrib/postgres_fdw, allow join conditions that contain shippable extension-provided functions to be pushed to the remote server (David Rowley, Ashutosh Bapat)
Support Tcl 8.6 in MSVC builds (Álvaro Herrera)
Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)

New in PostgreSQL 9.6.2 (Feb 9, 2017)

BUILD CORRUPTION WITH CREATE INDEX CONCURRENTLY:
There existed a race condition if CREATE INDEX CONCURRENTLY was called on a column that had not been indexed before, then rows that were updated by transactions running at the same time as the CREATE INDEX CONCURRENTLY command could have been indexed incorrectly.
If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
This issue is present in the 9.2, 9.3, 9.4, 9.5, and 9.6 series of PostgreSQL.
FIXES FOR VISIBILITY AND WRITE-AHEAD-LOG STABILITY:
These release contains several fixes to improve the stability of visible data and WAL logging that we wish to highlight here.
Prior to this release, data could be prematurely pruned by a vacuum operation when a special snapshot used for catalog scans was presently available. Specifically, the vacuum operation would not be aware of the oldest xmin for this special snapshot. The error would surface with a message such as: "cache lookup failed for relation 1255"
This release ensures that vacuum operations will account for the catalog scan snapshots.
Additionally, there are several fixes to improved the stability of write-ahead-logging, including:
A fix for BRIN index WAL logging where a replay could make a portion of the BRIN index useless and require recomputing
A fix for an unlogged table where a WAL-log would be created under the "wal_level = minimal" setting, and upon replay after crash, the table would not appear to be properly reset
A fix in the WAL page header validation when re-reading segments that fixes the error of "out-of-sequence TLI" that could be reported during recovery
Theses issues are present in the 9.6 series of PostgreSQL releases and may also be present in the 9.2, 9.3, 9.4, and 9.5 series.
BUG FIXES AND IMPROVEMENTS:
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only the 9.6 series, but many affect all supported versions.
There are more than 75 fixes provided in this release, including:
Several fixes for operating in hot standby mode
Disallow setting the num_sync field to zero in synchronous_standby_names
Don't count background worker processes against a user's connection limit
Fix check for when an extension member object can be dropped
Fix tracking of initial privileges for extension member objects so that it works correctly with ALTER EXTENSION ... ADD/DROP
Several vacuum and autovacuum fixes
Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options
Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes
Several fixes to the query planner, including fixes for foreign tables and CTEs
Several fixes around the full-text search feature to improve accuracy and performance of the search
Several fixes and performance improvements in several array functions
Several fixes around the interaction of foreign-key constraints with trigger functions around specific ALTER TABLE operations
Remove optimizations for date/time data types that returned incorrect data
Fix incorrect use of view reloptions as regular table reloptions
Fix incorrect "target lists can have at most N entries" complaint when using ON CONFLICT with wide tables
Fix spurious "query provides a value for a dropped column" errors during INSERT or UPDATE on a table with a dropped column
Prevent multicolumn expansion of foo.* in an UPDATE source expression
Ensure that column typmods are determined accurately for multi-row VALUES constructs
Several fixes for the psql command-line tool
Prevent multiple calls of pg_start_backup() and pg_stop_backup() from running concurrently
Several fixes for pg_dump, pg_restore, and pg_basebackup, including a possible pg_basebackup failure on standby server when including WAL files
Several fixes for parallel workers and plans for parallel queries including fixing a crash if the number of workers available to a parallel query decreases during a rescan
Several fixes to PL/pgSQL, PL/Python, and PL/Tcl
Several fixes for contrib modules
Allow DOS-style line endings in ~/.pgpass files, even on Unix

New in PostgreSQL 9.6.1 (Oct 28, 2016)

Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)
Fix possible data corruption when pg_upgrade rewrites a relation visibility map into 9.6 format (Tom Lane)
Don't throw serialization errors for self-conflicting insertions in INSERT ... ON CONFLICT (Thomas Munro, Peter Geoghegan)
Fix use-after-free hazard in execution of aggregate functions using DISTINCT (Peter Geoghegan)
Fix incorrect handling of polymorphic aggregates used as window functions (Tom Lane)
Fix COPY with a column name list from a table that has row-level security enabled (Adam Brightwell)
Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)
Fix statistics update for TRUNCATE in a prepared transaction (Stas Kelvich)
Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)
Show a sensible value in pg_settings.unit for min_wal_size and max_wal_size (Tom Lane)
Fix replacement of array elements in jsonb_set() (Tom Lane)
Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)
Preserve commit timestamps across server restart (Julien Rouhaud, Craig Ringer)
Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)
Fix dangling-pointer problem in logical WAL decoding (Stas Kelvich)
Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)
Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)
Avoid corner-case memory leak in libpq (Tom Lane)
In pg_upgrade, check library loadability in name order (Tom Lane)
Fix pg_upgrade to work correctly for extensions containing index access methods (Tom Lane)
Improve error reporting in pg_upgrade's file copying/linking/rewriting steps (Tom Lane, Álvaro Herrera)
Fix pg_dump to work against pre-7.4 servers (Amit Langote, Tom Lane)
Disallow specifying both --source-server and --source-target options to pg_rewind (Michael Banck)
Make pg_rewind turn off synchronous_commit in its session on the source server (Michael Banck, Michael Paquier)
In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)
Fix contrib/pg_visibility to report the correct TID for a corrupt tuple that has been the subject of a rolled-back update (Tom Lane)
Fix makefile dependencies so that parallel make of PL/Python by itself will succeed reliably (Pavel Raiskup)
Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.

New in PostgreSQL 9.6.0 (Sep 30, 2016)

New in PostgreSQL 9.6.0 RC 1 (Sep 1, 2016)

New in PostgreSQL 9.6.0 Beta 4 (Aug 11, 2016)

New in PostgreSQL 9.5.4 (Aug 11, 2016)

New in PostgreSQL 9.6.0 Beta 3 (Jul 21, 2016)

New in PostgreSQL 9.6.0 Beta 2 (Jun 23, 2016)

New in PostgreSQL 9.6.0 Beta 1 (May 12, 2016)

New in PostgreSQL 9.5.3 (May 12, 2016)

Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)
Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
Fix corner-case parser failures occurring when operator_precedence_warning is turned on (Tom Lane)
An example is that SELECT (ARRAY[])::text[] gave an error, though it worked without the parentheses.
Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)
Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion (Tom Lane)
The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.
Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)
These could advance off the end of the input string, causing subsequent format codes to read garbage.
Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
Disallow newlines in ALTER SYSTEM parameter values (Tom Lane)
The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.
Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected (David Rowley)
Avoid possible misbehavior after failing to remove a tablespace symlink (Tom Lane)
Fix crash in logical decoding on alignment-picky platforms (Tom Lane, Andres Freund)
The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.
Avoid repeated requests for feedback from receiver while shutting down walsender (Nick Cleaton)
Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)
pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.
Fix atomic operations for PPC when using IBM's XLC compiler (Noah Misch)
Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)
Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)
Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane)
Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
Support building with Visual Studio 2015 (Michael Paquier, Petr Jelínek)
Fix putenv() to work properly with Visual Studio 2013 (Michael Paquier)
Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.

New in PostgreSQL 9.5.2 (Mar 31, 2016)

Security Fixes for RLS, BRIN:
This release closes security hole CVE-2016-2193, where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query.
The update also fixes CVE-2016-3065, a server crash bug triggered by using pageinspect with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue.
Abbreviated Keys and Corrupt Indexes:
In this release, the PostgreSQL Project has been forced to disable 9.5's Abbreviated Keys performance feature for many indexes due to reports of index corruption. This may affect any B-tree indexes on TEXT, VARCHAR, and CHAR columns which are not in "C" locale. Indexes in other locales will lose the performance benefits of the feature, and should be REINDEXed in case of existing index corruption. The feature may be re-enabled in future versions if the project finds a solution for the problem. See the release notes, and the wiki page on this issue for more information.
Other Fixes and Improvements:
In addition to the above, many other issues were patched in this release based on bugs reported by our users over the last few months. This includes bugs which affect multiple versions of PostgreSQL, such as:
Fix two bugs in indexed ROW() comparisons
Avoid data loss due to renaming files
Prevent an error in rechecking rows in SELECT FOR UPDATE/SHARE
Fix bugs in multiple json_ and jsonb_ functions
Log lock waits for INSERT ON CONFLICT correctly
Ignore recovery_min_apply_delay until reaching a consistent state
Fix issue with pg_subtrans XID wraparound
Fix assorted bugs in Logical Decoding
Fix planner error with nested security barrier views
Prevent memory leak in GIN indexes
Fix two issues with ispell dictionaries
Avoid a crash on old Windows versions
Skip creating an erroneous delete script in pg_upgrade
Correctly translate empty arrays into PL/Perl
Make PL/Python cope with identifier names
This update also contains tzdata release 2016c, with updates for Azerbaijan, Chile, Haiti, Palestine, and Russia, and historical fixes for other regions.

New in PostgreSQL 9.5.1 (Feb 11, 2016)

New in PostgreSQL 9.5.0 (Jan 7, 2016)

SERVER:
Indexes:
Add Block Range Indexes (BRIN) (Álvaro Herrera)
BRIN indexes store only summary data (such as minimum and maximum values) for ranges of heap blocks. They are therefore very compact and cheap to update; but if the data is naturally clustered, they can still provide substantial speedup of searches.
Allow queries to perform accurate distance filtering of bounding-box-indexed objects (polygons, circles) using GiST indexes (Alexander Korotkov, Heikki Linnakangas)
Previously, to exploit such an index a subquery had to be used to select a large number of rows ordered by bounding-box distance, and the result then had to be filtered further with a more accurate distance calculation.
Allow GiST indexes to perform index-only scans (Anastasia Lubennikova, Heikki Linnakangas, Andreas Karlsson)
Add configuration parameter gin_pending_list_limit to control the size of GIN pending lists (Fujii Masao)
This value can also be set on a per-index basis as an index storage parameter. Previously the pending-list size was controlled by work_mem, which was awkward because appropriate values for work_mem are often much too large for this purpose.
Issue a warning during the creation of hash indexes because they are not crash-safe (Bruce Momjian)
General Performance:
Improve the speed of sorting of varchar, text, and numeric fields via "abbreviated" keys (Peter Geoghegan, Andrew Gierth, Robert Haas)
Extend the infrastructure that allows sorting to be performed by inlined, non-SQL-callable comparison functions to cover CREATE INDEX, REINDEX, and CLUSTER (Peter Geoghegan)
Improve performance of hash joins (Tomas Vondra, Robert Haas)
Improve concurrency of shared buffer replacement (Robert Haas, Amit Kapila, Andres Freund)
Reduce the number of page locks and pins during index scans (Kevin Grittner)
The primary benefit of this is to allow index vacuums to be blocked less often.
Make per-backend tracking of buffer pins more memory-efficient (Andres Freund)
Improve lock scalability (Andres Freund)
This particularly addresses scalability problems when running on systems with multiple CPU sockets.
Allow the optimizer to remove unnecessary references to left-joined subqueries (David Rowley)
Allow pushdown of query restrictions into subqueries with window functions, where appropriate (David Rowley)
Allow a non-leakproof function to be pushed down into a security barrier view if the function does not receive any view output columns (Dean Rasheed)
Teach the planner to use statistics obtained from an expression index on a boolean-returning function, when a matching function call appears in WHERE (Tom Lane)
Make ANALYZE compute basic statistics (null fraction and average column width) even for columns whose data type lacks an equality function (Oleksandr Shulgin)
Speed up CRC (cyclic redundancy check) computations and switch to CRC-32C (Abhijit Menon-Sen, Heikki Linnakangas)
Improve bitmap index scan performance (Teodor Sigaev, Tom Lane)
Speed up CREATE INDEX by avoiding unnecessary memory copies (Robert Haas)
Increase the number of buffer mapping partitions (Amit Kapila, Andres Freund, Robert Haas)
This improves performance for highly concurrent workloads.
Monitoring:
Add per-table autovacuum logging control via new log_min_autovacuum_duration storage parameter (Michael Paquier)
Add new configuration parameter cluster_name (Thomas Munro)
This string, typically set in postgresql.conf, allows clients to identify the cluster. This name also appears in the process title of all server processes, allowing for easier identification of processes belonging to the same cluster.
Prevent non-superusers from changing log_disconnections on connection startup (Fujii Masao)
SSL:
Check "Subject Alternative Names" in SSL server certificates, if present (Alexey Klyukin)
When they are present, this replaces checks against the certificate's "Common Name".
Add system view pg_stat_ssl to report SSL connection information (Magnus Hagander)
Add libpq functions to return SSL information in an implementation-independent way (Heikki Linnakangas)
While PQgetssl() can still be used to call OpenSSL functions, it is now considered deprecated because future versions of libpq might support other SSL implementations. When possible, use the new functions PQsslAttribute(), PQsslAttributeNames(), and PQsslInUse() to obtain SSL information in an SSL-implementation-independent way.
Make libpq honor any OpenSSL thread callbacks (Jan Urbanski)
Previously they were overwritten.
Server Settings:
Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size (Heikki Linnakangas)
This change allows the allocation of a large number of WAL files without keeping them after they are no longer needed. Therefore the default for max_wal_size has been set to 1GB, much larger than the old default for checkpoint_segments. Also note that standby servers perform restartpoints to try to limit their WAL space consumption to max_wal_size; previously they did not pay any attention to checkpoint_segments.
Control the Linux OOM killer via new environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE (Gurjeet Singh)
The previous OOM control infrastructure involved compile-time options LINUX_OOM_SCORE_ADJ and LINUX_OOM_ADJ, which are no longer supported. The new behavior is available in all builds.
Allow recording of transaction commit time stamps when configuration parameter track_commit_timestamp is enabled (Álvaro Herrera, Petr Jelínek)
Time stamp information can be accessed using functions pg_xact_commit_timestamp() and pg_last_committed_xact().
Allow local_preload_libraries to be set by ALTER ROLE SET (Peter Eisentraut, Kyotaro Horiguchi)
Allow autovacuum workers to respond to configuration parameter changes during a run (Michael Paquier)
Make configuration parameter debug_assertions read-only (Andres Freund)
This means that assertions can no longer be turned off if they were enabled at compile time, allowing for more efficient code optimization. This change also removes the postgres -A option.
Allow setting effective_io_concurrency on systems where it has no effect (Peter Eisentraut)
Add system view pg_file_settings to show the contents of the server's configuration files (Sawada Masahiko)
Add pending_restart to the system view pg_settings to indicate a change has been made but will not take effect until a database restart (Peter Eisentraut)
Allow ALTER SYSTEM values to be reset with ALTER SYSTEM RESET (Vik Fearing)
This command removes the specified setting from postgresql.auto.conf.
REPLICATION AND RECOVERY:
Create mechanisms for tracking the progress of replication, including methods for identifying the origin of individual changes during logical replication (Andres Freund)
This is helpful when implementing replication solutions.
Rework truncation of the multixact commit log to be properly WAL-logged (Andres Freund)
This makes things substantially simpler and more robust.
Add recovery.conf parameter recovery_target_action to control post-recovery activity (Petr Jelínek)
This replaces the old parameter pause_at_recovery_target.
Add new archive_mode value always to allow standbys to always archive received WAL files (Fujii Masao)
Add configuration parameter wal_retrieve_retry_interval to control WAL read retry after failure (Alexey Vasiliev, Michael Paquier)
This is particularly helpful for warm standbys.
Allow compression of full-page images stored in WAL (Rahila Syed, Michael Paquier)
This feature reduces WAL volume, at the cost of more CPU time spent on WAL logging and WAL replay. It is controlled by a new configuration parameter wal_compression, which currently is off by default.
Archive WAL files with suffix .partial during standby promotion (Heikki Linnakangas)
Add configuration parameter log_replication_commands to log replication commands (Fujii Masao)
By default, replication commands, e.g. IDENTIFY_SYSTEM, are not logged, even when log_statement is set to all.
Report the processes holding replication slots in pg_replication_slots (Craig Ringer)
The new output column is active_pid.
Allow recovery.conf's primary_conninfo setting to use connection URIs, e.g. postgres:// (Alexander Shulgin)
QUERIES:
Allow INSERTs that would generate constraint conflicts to be turned into UPDATEs or ignored (Peter Geoghegan, Heikki Linnakangas, Andres Freund)
The syntax is INSERT ... ON CONFLICT DO NOTHING/UPDATE. This is the Postgres implementation of the popular UPSERT command.
Add GROUP BY analysis features GROUPING SETS, CUBE and ROLLUP (Andrew Gierth, Atri Sharma)
Allow setting multiple target columns in an UPDATE from the result of a single sub-SELECT (Tom Lane)
This is accomplished using the syntax UPDATE tab SET (col1, col2, ...) = (SELECT ...).
Add SELECT option SKIP LOCKED to skip locked rows (Thomas Munro)
This does not throw an error for locked rows like NOWAIT does.
Add SELECT option TABLESAMPLE to return a subset of a table (Petr Jelínek)
This feature supports the SQL-standard table sampling methods. In addition, there are provisions for user-defined table sampling methods.
Suggest possible matches for mistyped column names (Peter Geoghegan, Robert Haas)
UTILITY COMMANDS:
Add more details about sort ordering in EXPLAIN output (Marius Timmer, Lukas Kreft, Arne Scheffer)
Details include COLLATE, DESC, USING, and NULLS FIRST/LAST.
Make VACUUM log the number of pages skipped due to pins (Jim Nasby)
Make TRUNCATE properly update the pg_stat* tuple counters (Alexander Shulgin)
REINDEX:
Allow REINDEX to reindex an entire schema using the SCHEMA option (Sawada Masahiko)
Add VERBOSE option to REINDEX (Sawada Masahiko)
Prevent REINDEX DATABASE and SCHEMA from outputting object names, unless VERBOSE is used (Simon Riggs)
Remove obsolete FORCE option from REINDEX (Fujii Masao)
OBJECT MANIPULATION:
Add row-level security control (Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean Rasheed, Stephen Frost)
This feature allows row-by-row control over which users can add, modify, or even see rows in a table. This is controlled by new commands CREATE/ALTER/DROP POLICY and ALTER TABLE ... ENABLE/DISABLE ROW SECURITY.
Allow changing of the WAL logging status of a table after creation with ALTER TABLE ... SET LOGGED / UNLOGGED (Fabrízio de Royes Mello)
Add IF NOT EXISTS clause to CREATE TABLE AS, CREATE INDEX, CREATE SEQUENCE, and CREATE MATERIALIZED VIEW (Fabrízio de Royes Mello)
Add support for IF EXISTS to ALTER TABLE ... RENAME CONSTRAINT (Bruce Momjian)
Allow some DDL commands to accept CURRENT_USER or SESSION_USER, meaning the current user or session user, in place of a specific user name (Kyotaro Horiguchi, Álvaro Herrera)
This feature is now supported in ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and ALTER object OWNER TO commands.
Support comments on domain constraints (Álvaro Herrera)
Reduce lock levels of some create and alter trigger and foreign key commands (Simon Riggs, Andreas Karlsson)
Allow LOCK TABLE ... ROW EXCLUSIVE MODE for those with INSERT privileges on the target table (Stephen Frost)
Previously this command required UPDATE, DELETE, or TRUNCATE privileges.
Apply table and domain CHECK constraints in order by name (Tom Lane)
The previous ordering was indeterminate.
Allow CREATE/ALTER DATABASE to manipulate datistemplate and datallowconn (Vik Fearing)
This allows these per-database settings to be changed without manually modifying the pg_database system catalog.
Foreign Tables:
Add support for IMPORT FOREIGN SCHEMA (Ronan Dunklau, Michael Paquier, Tom Lane)
This command allows automatic creation of local foreign tables that match the structure of existing tables on a remote server.
Allow CHECK constraints to be placed on foreign tables (Shigeru Hanada, Etsuro Fujita)
Such constraints are assumed to be enforced on the remote server, and are not enforced locally. However, they are assumed to hold for purposes of query optimization, such as constraint exclusion.
Allow foreign tables to participate in inheritance (Shigeru Hanada, Etsuro Fujita)
To let this work naturally, foreign tables are now allowed to have check constraints marked as not valid, and to set storage and OID characteristics, even though these operations are effectively no-ops for a foreign table.
Allow foreign data wrappers and custom scans to implement join pushdown (KaiGai Kohei)
Event Triggers:
Whenever a ddl_command_end event trigger is installed, capture details of DDL activity for it to inspect (Álvaro Herrera)
This information is available through a set-returning function pg_event_trigger_ddl_commands(), or by inspection of C data structures if that function doesn't provide enough detail.
Allow event triggers on table rewrites caused by ALTER TABLE (Dimitri Fontaine)
Add event trigger support for database-level COMMENT, SECURITY LABEL, and GRANT/REVOKE (Álvaro Herrera)
Add columns to the output of pg_event_trigger_dropped_objects (Álvaro Herrera)
This allows simpler processing of delete operations.
DATA TYPES:
Allow the xml data type to accept empty or all-whitespace content values (Peter Eisentraut)
This is required by the SQL/XML specification.
Allow macaddr input using the format xxxx-xxxx-xxxx (Herwin Weststrate)
Disallow non-SQL-standard syntax for interval with both precision and field specifications (Bruce Momjian)
Per the standard, such type specifications should be written as, for example, INTERVAL MINUTE TO SECOND(2). PostgreSQL formerly allowed this to be written as INTERVAL(2) MINUTE TO SECOND, but it must now be written in the standard way.
Add selectivity estimators for inet/cidr operators and improve estimators for text search functions (Emre Hasegeli, Tom Lane)
Add data types regrole and regnamespace to simplify entering and pretty-printing the OID of a role or namespace (Kyotaro Horiguchi)
JSON:
Add jsonb functions jsonb_set() and jsonb_pretty() (Dmitry Dolgov, Andrew Dunstan, Petr Jelínek)
Add jsonb generator functions to_jsonb(), jsonb_object(), jsonb_build_object(), jsonb_build_array(), jsonb_agg(), and jsonb_object_agg() (Andrew Dunstan)
Equivalent functions already existed for type json.
Reduce casting requirements to/from json and jsonb (Tom Lane)
Allow text, text array, and integer values to be subtracted from jsonb documents (Dmitry Dolgov, Andrew Dunstan)
Add jsonb || operator (Dmitry Dolgov, Andrew Dunstan)
Add json_strip_nulls() and jsonb_strip_nulls() functions to remove JSON null values from documents (Andrew Dunstan)
Functions:
Add generate_series() for numeric values (Plato Malugin)
Allow array_agg() and ARRAY() to take arrays as inputs (Ali Akbar, Tom Lane)
Add functions array_position() and array_positions() to return subscripts of array values (Pavel Stehule)
Add a point-to-polygon distance operator (Alexander Korotkov)
Allow multibyte characters as escapes in SIMILAR TO and SUBSTRING (Jeff Davis)
Previously, only a single-byte character was allowed as an escape.
Add a width_bucket() variant that supports any sortable data type and non-uniform bucket widths (Petr Jelínek)
Add an optional missing_ok argument to pg_read_file() and related functions (Michael Paquier, Heikki Linnakangas)
Allow => to specify named parameters in function calls (Pavel Stehule)
Previously only := could be used. This requires removing the possibility for => to be a user-defined operator. Creation of user-defined => operators has been issuing warnings since PostgreSQL 9.0.
Add POSIX-compliant rounding for platforms that use PostgreSQL-supplied rounding functions (Pedro Gimeno Fortea)
System Information Functions and Views:
Add function pg_get_object_address() to return OIDs that uniquely identify an object, and function pg_identify_object_as_address() to return object information based on OIDs (Álvaro Herrera)
Loosen security checks for viewing queries in pg_stat_activity, executing pg_cancel_backend(), and executing pg_terminate_backend() (Stephen Frost)
Previously, only the specific role owning the target session could perform these operations; now membership in that role is sufficient.
Add pg_stat_get_snapshot_timestamp() to output the time stamp of the statistics snapshot (Matt Kelly)
This represents the last time the snapshot file was written to the file system.
Add mxid_age() to compute multi-xid age (Bruce Momjian)
Aggregates:
Add min()/max() aggregates for inet/cidr data types (Haribabu Kommi)
Use 128-bit integers, where supported, as accumulators for some aggregate functions (Andreas Karlsson)
SERVER-SIDE LANGUAGES:
Improve support for composite types in PL/Python (Ed Behn, Ronan Dunklau)
This allows PL/Python functions to return arrays of composite types.
Reduce lossiness of PL/Python floating-point value conversions (Marko Kreen)
Allow specification of conversion routines between SQL data types and data types of procedural languages (Peter Eisentraut)
This change adds new commands CREATE/DROP TRANSFORM. This also adds optional transformations between the hstore and ltree types to/from PL/Perl and PL/Python.
PL/pgSQL Server-Side Language:
Improve PL/pgSQL array performance (Tom Lane)
Add an ASSERT statement in PL/pgSQL (Pavel Stehule)
Allow more PL/pgSQL keywords to be used as identifiers (Tom Lane)
Client Applications:
Move pg_archivecleanup, pg_test_fsync, pg_test_timing, and pg_xlogdump from contrib to src/bin (Peter Eisentraut)
This should result in these programs being installed by default in most installations.
Add pg_rewind, which allows re-synchronizing a master server after failback (Heikki Linnakangas)
Allow pg_receivexlog to manage physical replication slots (Michael Paquier)
This is controlled via new --create-slot and --drop-slot options.
Allow pg_receivexlog to synchronously flush WAL to storage using new --synchronous option (Furuya Osamu, Fujii Masao)
Without this, WAL files are fsync'ed only on close.
Allow vacuumdb to vacuum in parallel using new --jobs option (Dilip Kumar)
In vacuumdb, do not prompt for the same password repeatedly when multiple connections are necessary (Haribabu Kommi, Michael Paquier)
Add --verbose option to reindexdb (Sawada Masahiko)
Make pg_basebackup use a tablespace mapping file when using tar format, to support symbolic links and file paths of 100+ characters in length on MS Windows (Amit Kapila)
Add pg_xlogdump option --stats to display summary statistics (Abhijit Menon-Sen)
psql:
Allow psql to produce AsciiDoc output (Szymon Guz)
Add an errors mode that displays only failed commands to psql's ECHO variable (Pavel Stehule)
This behavior can also be selected with psql's -b option.
Provide separate column, header, and border linestyle control in psql's unicode linestyle (Pavel Stehule)
Single or double lines are supported; the default is single.
Add new option %l in psql's PROMPT variables to display the current multiline statement line number (Sawada Masahiko)
Add \pset option pager_min_lines to control pager invocation (Andrew Dunstan)
Improve psql line counting used when deciding to invoke the pager (Andrew Dunstan)
psql now fails if the file specified by an --output or --log-file switch cannot be written (Tom Lane, Daniel Verite)
Previously, it effectively ignored the switch in such cases.
Add psql tab completion when setting the search_path variable (Jeff Janes)
Currently only the first schema can be tab-completed.
Improve psql's tab completion for triggers and rules (Andreas Karlsson)
Backslash Commands:
Add psql \? help sections variables and options (Pavel Stehule)
\? variables shows psql's special variables and \? options shows the command-line options. \? commands shows the meta-commands, which is the traditional output and remains the default. These help displays can also be obtained with the command-line option --help=section.
Show tablespace size in psql's \db+ (Fabrízio de Royes Mello)
Show data type owners in psql's \dT+ (Magnus Hagander)
Allow psql's \watch to output \timing information (Fujii Masao)
Also prevent --echo-hidden from echoing \watch queries, since that is generally unwanted.
Make psql's \sf and \ef commands honor ECHO_HIDDEN (Andrew Dunstan)
Improve psql tab completion for \set, \unset, and :variable names (Pavel Stehule)
Allow tab completion of role names in psql \c commands (Ian Barwick)
pg_dump:
Allow pg_dump to share a snapshot taken by another session using --snapshot (Simon Riggs, Michael Paquier)
The remote snapshot must have been exported by pg_export_snapshot() or logical replication slot creation. This can be used to share a consistent snapshot across multiple pg_dump processes.
Support table sizes exceeding 8GB in tar archive format (Tom Lane)
The POSIX standard for tar format does not allow elements of a tar archive to exceed 8GB, but most modern implementations of tar support an extension that does allow it. Use the extension format when necessary, rather than failing.
Make pg_dump always print the server and pg_dump versions (Jing Wang)
Previously, version information was only printed in --verbose mode.
Remove the long-ignored -i/--ignore-version option from pg_dump, pg_dumpall, and pg_restore (Fujii Masao)
pg_ctl:
Support multiple pg_ctl -o options, concatenating their values (Bruce Momjian)
Allow control of pg_ctl's event source logging on MS Windows (MauMau)
This only controls pg_ctl, not the server, which has separate settings in postgresql.conf.
If the server's listen address is set to a wildcard value (0.0.0.0 in IPv4 or :: in IPv6), connect via the loopback address rather than trying to use the wildcard address literally (Kondo Yuta)
This fix primarily affects Windows, since on other platforms pg_ctl will prefer to use a Unix-domain socket.
pg_upgrade:
Move pg_upgrade from contrib to src/bin (Peter Eisentraut)
In connection with this change, the functionality previously provided by the pg_upgrade_support module has been moved into the core server.
Support multiple pg_upgrade -o/-O options, concatenating their values (Bruce Momjian)
Improve database collation comparisons in pg_upgrade (Heikki Linnakangas)
Remove support for upgrading from 8.3 clusters (Bruce Momjian)
pgbench:
Move pgbench from contrib to src/bin (Peter Eisentraut)
Fix calculation of TPS number "excluding connections establishing" (Tatsuo Ishii, Fabien Coelho)
The overhead for connection establishment was miscalculated whenever the number of pgbench threads was less than the number of client connections. Although this is clearly a bug, we won't back-patch it into pre-9.5 branches since it makes TPS numbers not comparable to previous results.
Allow counting of pgbench transactions that take over a specified amount of time (Fabien Coelho)
This is controlled by a new --latency-limit option.
Allow pgbench to generate Gaussian/exponential distributions using \setrandom (Kondo Mitsumasa, Fabien Coelho)
Allow pgbench's \set command to handle arithmetic expressions containing more than one operator, and add % (modulo) to the set of operators it supports (Robert Haas, Fabien Coelho)
Source Code:
Simplify WAL record format (Heikki Linnakangas)
This allows external tools to more easily track what blocks are modified.
Improve the representation of transaction commit and abort WAL records (Andres Freund)
Add atomic memory operations API (Andres Freund)
Allow custom path and scan methods (KaiGai Kohei, Tom Lane)
This allows extensions greater control over the optimizer and executor.
Allow foreign data wrappers to do post-filter locking (Etsuro Fujita)
Foreign tables can now take part in INSERT ... ON CONFLICT DO NOTHING queries (Peter Geoghegan, Heikki Linnakangas, Andres Freund)
Foreign data wrappers must be modified to handle this. INSERT ... ON CONFLICT DO UPDATE is not supported on foreign tables.
Improve hash_create()'s API for selecting simple-binary-key hash functions (Teodor Sigaev, Tom Lane)
Improve parallel execution infrastructure (Robert Haas, Amit Kapila, Noah Misch, Rushabh Lathia, Jeevan Chalke)
Remove Alpha (CPU) and Tru64 (OS) ports (Andres Freund)
Remove swap-byte-based spinlock implementation for ARMv5 and earlier CPUs (Robert Haas)
ARMv5's weak memory ordering made this locking implementation unsafe. Spinlock support is still possible on newer gcc implementations with atomics support.
Generate an error when excessively long (100+ character) file paths are written to tar files (Peter Eisentraut)
Tar does not support such overly-long paths.
Change index operator class for columns pg_seclabel.provider and pg_shseclabel.provider to be text_pattern_ops (Tom Lane)
This avoids possible problems with these indexes when different databases of a cluster have different default collations.
Change the spinlock primitives to function as compiler barriers (Robert Haas)
ADDITIONAL MODULES:
Add statistics for minimum, maximum, mean, and standard deviation times to pg_stat_statements (Mitsumasa Kondo, Andrew Dunstan)
Add pgcrypto function pgp_armor_headers() to extract PGP armor headers (Marko Tiikkaja, Heikki Linnakangas)
Allow empty replacement strings in unaccent (Mohammad Alhashash)
This is useful in languages where diacritic signs are represented as separate characters.
Allow multicharacter source strings in unaccent (Tom Lane)
This could be useful in languages where diacritic signs are represented as separate characters. It also allows more complex unaccent dictionaries.
Add contrib modules tsm_system_rows and tsm_system_time to allow additional table sampling methods (Petr Jelínek)
Add GIN index inspection functions to pageinspect (Heikki Linnakangas, Peter Geoghegan, Michael Paquier)
Add information about buffer pins to pg_buffercache display (Andres Freund)
Allow pgstattuple to report approximate answers with less overhead using pgstattuple_approx() (Abhijit Menon-Sen)
Move dummy_seclabel, test_shm_mq, test_parser, and worker_spi from contrib to src/test/modules (Álvaro Herrera)
These modules are only meant for server testing, so they do not need to be built or installed when packaging PostgreSQL.

New in PostgreSQL 9.5.0 RC 1 (Dec 19, 2015)

New in PostgreSQL 9.5.0 Beta 2 (Nov 12, 2015)

New in PostgreSQL 9.4.5 (Oct 8, 2015)

Changes:
Guard against stack overflows in json parsing (Oskari Saarenmaa)
If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)
Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)
Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)
Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
Improve LISTEN startup time when there are many unread notifications (Matt Newell)
Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
Add more query-cancel checks to regular expression matching (Tom Lane)
Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
Fix low-probability memory leak during regular expression execution (Tom Lane)
Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
Fix very-low-probability stack overrun in qsort (Tom Lane)
Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)
Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)
Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)
In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)
The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
Prevent crash in psql's \c command when there is no current connection (Noah Misch)
Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)
Fix spinlock assembly code for Alpha hardware (Tom Lane)
Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)
Translate encoding UHC as Windows code page 949 (Noah Misch)
This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)
Fix postmaster startup failure due to not copying setlocale()'s return value (Noah Misch)
This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

New in PostgreSQL 9.5.0 Beta 1 (Oct 8, 2015)

New in PostgreSQL 9.5.0 Alpha 2 (Aug 7, 2015)

New in PostgreSQL 9.4.4-1 (Jun 13, 2015)

New in PostgreSQL 9.4.3-1 (Jun 4, 2015)

New in PostgreSQL 9.4.2-1 (May 22, 2015)

DATA CORRUPTION FIX:
For users of PostgreSQL versions 9.3 or 9.4, this release fixes a problem where the database will fail to protect against "multixact wraparound", resulting in data corruption or loss. Users with a high transaction rate (1 million or more per hour) in a database with many foreign keys are especially vulnerable. We strongly urge all users of 9.4 and 9.3 to update their installations in the next few days.
Users of versions 9.2 and earlier are not affected by this issue.
SECURITY FIXES:
Additionally, we are recommending that all users who use Kerberos, GSSAPI, or SSPI authentication set include_realm to 1 in pg_hba.conf, which will become the default in future versions.
This update fixes three security vulnerabilities reported in PostgreSQL over the past few months. Nether of these issues is seen as particularly urgent. However, users should examine them in case their installations are vulnerable:
CVE-2015-3165 Double "free" after authentication timeout.
CVE-2015-3166 Unanticipated errors from the standard library.
CVE-2015-3167 pgcrypto has multiple error messages for decryption with an incorrect key.
More information about these issues, as well as older patched issues, is available on the PostgreSQL Security Page.
OTHER FIXES AND IMPROVEMENTS:
A new, non-default version of the citext extension fixes its previously undocumented regexp_matches() functions to align with the ordinary text version of those functions. The fixed version has a different return type than the old version, so users of CIText should test their applications before updating the function by running "ALTER EXTENSION citext UPDATE".
In addition to the above, more than 50 reported issues have been fixed in this cumulative update release. Most of the issues named affect all supported versions.
These fixes include:
Render infinite dates and timestamps as infinity when converting to json
Fix json/jsonb's populate_record() and to_record()
Fix incorrect checking of deferred exclusion constraints
Improve planning of star-schema-style queries
Fix three issues with joins
Ensure correct locking with security barrier views
Fix deadlock at startup when max_prepared_transactions is too small
Recursively fsync() the data directory after a crash
Fix autovacuum launcher's possible failure to shut down
Cope with unexpected signals in LockBufferForCleanup()
Fix crash when doing COPY IN to a table with check constraints
Avoid waiting for synchronous replication of read-only transactions
Fix two issues with hash indexes
Prevent memory leaks in GIN index vacuum
Fix two issues with background workers
Several fixes to Logical Decoding replication
Fix several minor issues with pg_dump and pg_upgrade
This release includes an update to tzdata release 2015d, with updates to Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile.

New in PostgreSQL 9.4.1-2 (Apr 29, 2015)

New in PostgreSQL 9.4.1-1 (Feb 6, 2015)

Fix buffer overruns in to_char() (Bruce Momjian):
 When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241) 
Fix buffer overrun in replacement *printf() functions (Tom Lane): 
PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242) 
Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch):
 Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243) 
Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas):
 If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244) 
Fix information leak via constraint-violation error messages (Stephen Frost): 
Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161) 
Lock down regression testing's temporary installations on Windows (Noah Misch):
 Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067) 
Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane): 
In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug. 
Fix jsonb Unicode escape processing, and in consequence disallow \u0000 (Tom Lane): 
Previously, the JSON Unicode escape \u0000 was accepted and was stored as those six characters; but that is indistinguishable from what is stored for the input \\u0000, resulting in ambiguity. Moreover, in cases where de-escaped textual output is expected, such as the ->> operator, the sequence was printed as \u0000, which does not meet the expectation that JSON escaping would be removed. (Consistent behavior would require emitting a zero byte, but PostgreSQL does not support zero bytes embedded in text strings.) 9.4.0 included an ill-advised attempt to improve this situation by adjusting JSON output conversion rules; but of course that could not fix the fundamental ambiguity, and it turned out to break other usages of Unicode escape sequences. Revert that, and to avoid the core problem, reject \u0000 in jsonb input. If a jsonb column contains a \u0000 value stored with 9.4.0, it will henceforth read out as though it were \\u0000, which is the other valid interpretation of the data stored by 9.4.0 for this case.  The json type did not have the storage-ambiguity problem, but it did have the problem of inconsistent de-escaped textual output. Therefore \u0000 will now also be rejected in json values when conversion to de-escaped form is required. This change does not break the ability to store \u0000 in json columns so long as no processing is done on the values. This is exactly parallel to the cases in which non-ASCII Unicode escapes are allowed when the database encoding is not UTF8. 
Fix namespace handling in xpath() (Ali Akbar):
 Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation. 
Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli): 
This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases. 
Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas): 
9.4.0 could fail with "index row size exceeds maximum" errors for data that previous versions would accept. 
Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane): 
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding". 
Fix libpq's behavior when /etc/passwd isn't readable (Tom Lane):
 While doing PQsetdbLogin(), libpq attempts to ascertain the user's operating system name, which on most Unix platforms involves reading /etc/passwd. As of 9.4, failure to do that was treated as a hard error. Restore the previous behavior, which was to fail only if the application does not provide a database role name to connect as. This supports operation in chroot environments that lack an /etc/passwd file. 
Improve consistency of parsing of psql's special variables (Tom Lane):
 Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors. 
Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier): connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further. 
Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier): 
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues. 
Allow CFLAGS from configure's environment to override automatically-supplied CFLAGS (Tom Lane): 
Previously, configure would add any switches that it chose of its own accord to the end of the user-specified CFLAGS string. Since most compilers process switches left-to-right, this meant that configure's choices would override the user-specified flags in case of conflicts. That should work the other way around, so adjust the logic to put the user's string at the end not the beginning. 
Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane):
 This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations. 
Miscellaneous changes:
Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane) Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland. Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood) Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera) Improve performance of EXPLAIN with large range tables (Tom Lane) Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas) Fix possible crash when using nonzero gin_fuzzy_search_limit (Heikki Linnakangas) Assorted fixes for logical decoding (Andres Freund) Fix incorrect replay of WAL parameter change records that report changes in the wal_log_hints setting (Petr Jalinek) Warn if OS X's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch) Fix pg_dump to handle comments on event triggers without failing (Tom Lane) Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)

New in PostgreSQL 9.4.0-1 (Dec 20, 2014)

Major enhancements in PostgreSQL 9.4 include:
Add jsonb, a more capable and efficient data type for storing JSON data
Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries
Reduce lock strength for some ALTER TABLE commands
Allow materialized views to be refreshed without blocking concurrent reads
Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format
Allow background worker processes to be dynamically registered, started and terminated
Server:
Allow background worker processes to be dynamically registered, started and terminated
The new worker_spi module shows an example of use of this feature.
Allow dynamic allocation of shared memory segments
This feature is illustrated in the test_shm_mq module.
During crash recovery or immediate shutdown, send uncatchable termination signals (SIGKILL) to child processes that do not shut down promptly
This reduces the likelihood of leaving orphaned child processes behind after postmaster shutdown, as well as ensuring that crash recovery can proceed if some child processes have become "stuck".
Improve randomness of the database system identifier
Make VACUUM properly report dead but not-yet-removable rows to the statistics collector
Previously these were reported as live rows.
Indexes:
Reduce GIN index size
Indexes upgraded via pg_upgrade will work fine but will still be in the old, larger GIN format. Use REINDEX to recreate old GIN indexes in the new format
Improve speed of multi-key GIN lookups
Add GiST index support for inet and cidr data types
Such indexes improve subnet and supernet lookups and ordering comparisons
Fix rare race condition in B-tree page deletion
Make the handling of interrupted B-tree page splits more robust
General Performance:
Allow multiple backends to insert into WAL buffers concurrently
This improves parallel write performance.
Conditionally write only the modified portion of updated rows to WAL
Improve performance of aggregate functions used as window functions
Improve speed of aggregates that use numeric state values
Attempt to freeze tuples when tables are rewritten with CLUSTER or VACUUM FULL
This can avoid the need to freeze the tuples in the future.
Improve speed of COPY with default nextval() columns
Improve speed of accessing many different sequences in the same session
Raise hard limit on the number of tuples held in memory during sorting and B-tree index builds
Reduce memory allocated by PL/pgSQL DO blocks
Make the planner more aggressive about extracting restriction clauses from mixed AND/OR clauses
Disallow pushing volatile WHERE clauses down into DISTINCT subqueries
Pushing down a WHERE clause can produce a more efficient plan overall, but at the cost of evaluating the clause more often than is implied by the text of the query; so don't do it if the clause contains any volatile functions.
Auto-resize the catalog caches
This reduces memory consumption for sessions accessing only a few tables, and improves performance for sessions accessing many tables.
Monitoring:
Add pg_stat_archiver system view to report WAL archiver activity
Add n_mod_since_analyze columns to pg_stat_all_tables and related system views
These columns expose the system's estimate of the number of changed tuples since the table's last ANALYZE. This estimate drives decisions about when to auto-analyze.
Add backend_xid and backend_xmin columns to the system view pg_stat_activity, and a backend_xmin column to pg_stat_replication
SSL:
Add support for SSL ECDH key exchange
This allows use of Elliptic Curve keys for server authentication. Such keys are faster and have better security than RSA keys. The new configuration parameter ssl_ecdh_curve controls which curve is used for ECDH.
Improve the default ssl_ciphers setting
By default, the server not the client now controls the preference order of SSL ciphers
Previously, the order specified by ssl_ciphers was usually ignored in favor of client-side defaults, which are not configurable in most PostgreSQL clients. If desired, the old behavior can be restored via the new configuration parameter ssl_prefer_server_ciphers.
Make log_connections show SSL encryption information (Andreas Kunert)
Improve SSL renegotiation handling
Server Settings:
Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries
Previously such settings could only be changed by manually editing postgresql.conf.
Add autovacuum_work_mem configuration parameter to control the amount of memory used by autovacuum workers
Add huge_pages parameter to allow using huge memory pages on Linux
This can improve performance on large-memory systems.
Add max_worker_processes parameter to limit the number of background workers
This is helpful in configuring a standby server to have the required number of worker processes (the same as the primary).
Add superuser-only session_preload_libraries parameter to load libraries at session start
In contrast to local_preload_libraries, this parameter can load any shared library, not just those in the $libdir/plugins directory.
Add wal_log_hints parameter to enable WAL logging of hint-bit changes
Hint bit changes are not normally logged, except when checksums are enabled. This is useful for external tools like pg_rewind.
Increase the default settings of work_mem and maintenance_work_mem by four times
The new defaults are 4MB and 64MB respectively.
Increase the default setting of effective_cache_size to 4GB
Allow printf-style space padding to be specified in log_line_prefix (David Rowley)
Allow terabyte units (TB) to be used when specifying configuration variable values
Show PIDs of lock holders and waiters and improve information about relations in log_lock_waits log messages
Reduce server logging level when loading shared libraries
The previous level was LOG, which was too verbose for libraries loaded per-session.
On Windows, make SQL_ASCII-encoded databases and server processes (e.g., postmaster) emit messages in the character encoding of the server's Windows user locale
Previously these messages were output in the Windows ANSI code page.
Replication and Recovery:
Add replication slots to coordinate activity on streaming standbys with the node they are streaming from
Replication slots allow preservation of resources like WAL files on the primary until they are no longer needed by standby servers.
Add recovery parameter recovery_min_apply_delay to delay replication
Delaying replay on standby servers can be useful for recovering from user errors.
Add recovery_target option immediate to stop WAL recovery as soon as a consistent state is reached
Improve recovery target processing
The timestamp reported by pg_last_xact_replay_timestamp() now reflects already-committed records, not transactions about to be committed. Recovering to a restore point now replays the restore point, rather than stopping just before the restore point.
pg_switch_xlog() now clears any unused trailing space in the old WAL file
This improves the compression ratio for WAL files.
Report failure return codes from external recovery commands
Reduce spinlock contention during WAL replay
Write WAL records of running transactions more frequently
This allows standby servers to start faster and clean up resources more aggressively.
Logical Decoding - allows database changes to be streamed in a configurable format. The data is read from the WAL and transformed into the desired target format. To implement this feature, the following changes were made:
Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format
Add new wal_level setting logical to enable logical change-set encoding in WAL
Add table-level parameter REPLICA IDENTITY to control logical replication
Add relation option user_catalog_table to identify user-created tables involved in logical change-set encoding
Add pg_recvlogical application to receive logical-decoding data
Add test_decoding module to illustrate logical decoding at the SQL level
Queries:
Add WITH ORDINALITY syntax to number the rows returned from a set-returning function in the FROM clause
This is particularly useful for functions like unnest().
Add ROWS FROM() syntax to allow horizontal concatenation of set-returning functions in the FROM clause
Allow SELECT to have an empty target list
This was added so that views that select from a table with zero columns can be dumped and restored correctly.
Ensure that SELECT ... FOR UPDATE NOWAIT does not wait in corner cases involving already-concurrently-updated tuples
Utility Commands:
Add DISCARD SEQUENCES command to discard cached sequence-related state
DISCARD ALL will now also discard such information.
Add FORCE NULL option to COPY FROM, which causes quoted strings matching the specified null string to be converted to NULLs in CSV mode
Without this option, only unquoted matching strings will be imported as null values.
Issue warnings for commands used outside of transaction blocks when they can have no effect
New warnings are issued for SET LOCAL, SET CONSTRAINTS, SET TRANSACTION and ABORT when used outside a transaction block.
EXPLAIN:
Make EXPLAIN ANALYZE show planning time
Make EXPLAIN show the grouping columns in Agg and Group nodes
Make EXPLAIN ANALYZE show exact and lossy block counts in bitmap heap scans
Views:
Allow a materialized view to be refreshed without blocking other sessions from reading the view meanwhile
This is done with REFRESH MATERIALIZED VIEW CONCURRENTLY.
Allow views to be automatically updated even if they contain some non-updatable columns
Previously the presence of non-updatable output columns such as expressions, literals, and function calls prevented automatic updates. Now INSERTs, UPDATEs and DELETEs are supported, provided that they do not attempt to assign new values to any of the non-updatable columns.
Allow control over whether INSERTs and UPDATEs can add rows to an auto-updatable view that would not appear in the view
This is controlled with the new CREATE VIEW clause WITH CHECK OPTION.
Allow security barrier views to be automatically updatable
Object Manipulation:
Support triggers on foreign tables
Allow moving groups of objects from one tablespace to another using the ALL IN TABLESPACE ... SET TABLESPACE form of ALTER TABLE, ALTER INDEX, or ALTER MATERIALIZED VIEW
Allow changing foreign key constraint deferrability via ALTER TABLE ... ALTER CONSTRAINT
Reduce lock strength for some ALTER TABLE commands
Specifically, VALIDATE CONSTRAINT, CLUSTER ON, SET WITHOUT CLUSTER, ALTER COLUMN SET STATISTICS, ALTER COLUMN SET (attribute_option), ALTER COLUMN RESET (attribute_option) no longer require ACCESS EXCLUSIVE locks.
Allow tablespace options to be set in CREATE TABLESPACE (Vik Fearing)
Formerly these options could only be set via ALTER TABLESPACE.
Allow CREATE AGGREGATE to define the estimated size of the aggregate's transition state data
Proper use of this feature allows the planner to better estimate how much memory will be used by aggregates.
Fix DROP IF EXISTS to avoid errors for non-existent objects in more cases
Improve how system relations are identified
Previously, relations once moved into the pg_catalog schema could no longer be modified or dropped.
Data Types:
Fully implement the line data type
The line segment data type (lseg) has always been fully supported. The previous line data type (which was enabled only via a compile-time option) is not binary or dump-compatible with the new implementation.
Add pg_lsn data type to represent a WAL log sequence number (LSN)
Allow single-point polygons to be converted to circles (Bruce Momjian)
Support time zone abbreviations that change UTC offset from time to time
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
Allow 5+ digit years for non-ISO timestamp and date strings, where appropriate
JSON:
Add jsonb, a more capable and efficient data type for storing JSON data
This new type allows faster access to values within a JSON document, and faster and more useful indexing of JSON columns. Scalar values in jsonb documents are stored as appropriate scalar SQL types, and the JSON document structure is pre-parsed rather than being stored as text as in the original json data type.
Add new JSON functions to allow for the construction of arbitrarily complex JSON trees
New functions include json_array_elements_text(), json_build_array(), json_object(), json_object_agg(), json_to_record(), and json_to_recordset().
Add json_typeof() to return the data type of a json value (Andrew Tipton)
Add checks for overflow/underflow of interval values
Functions:
Add pg_sleep_for(interval) and pg_sleep_until(timestamp) to specify delays more flexibly
The existing pg_sleep() function only supports delays specified in seconds.
Add cardinality() function for arrays
This returns the total number of elements in the array, or zero for an array with no elements.
Add SQL functions to allow large object reads/writes at arbitrary offsets
Allow unnest() to take multiple arguments, which are individually unnested then horizontally concatenated
Add functions to construct times, dates, timestamps, timestamptzs, and intervals from individual values, rather than strings
These functions' names are prefixed with make_, e.g. make_date().
Make to_char()'s TZ format specifier return a useful value for simple numeric time zone offsets
Previously, to_char(CURRENT_TIMESTAMP, 'TZ') returned an empty string if the timezone was set to a constant like -4.
Add timezone offset format specifier OF to to_char()
Improve the random seed used for random()
Tighten validity checking for Unicode code points in chr(int)
This function now only accepts values that are valid UTF8 characters according to RFC 3629.
System Information Functions:
Add functions for looking up objects in pg_class, pg_proc, pg_type, and pg_operator that do not generate errors for non-existent objects
For example, to_regclass() does a lookup in pg_class similarly to the regclass input function, but it returns NULL for a non-existent object instead of failing.
Add function pg_filenode_relation() to allow for more efficient lookup of relation names from filenodes
Add parameter_default column to information_schema.parameters view
Make information_schema.schemata show all accessible schemas
Previously it only showed schemas owned by the current user.
Aggregates:
Add control over which rows are passed into aggregate functions via the FILTER clause
Support ordered-set (WITHIN GROUP) aggregates
Add standard ordered-set aggregates percentile_cont(), percentile_disc(), mode(), rank(), dense_rank(), percent_rank(), and cume_dist()
Support VARIADIC aggregate functions
Allow polymorphic aggregates to have non-polymorphic state data types
This allows proper declaration in SQL of aggregates like the built-in aggregate array_agg().
Server-Side Languages:
Add event trigger support to PL/Perl and PL/Tcl
Convert numeric values to decimal in PL/Python
Previously such values were converted to Python float values, risking loss of precision.
PL/pgSQL Server-Side Language:
Add ability to retrieve the current PL/PgSQL call stack using GET DIAGNOSTICS
Add option print_strict_params to display the parameters passed to a query that violated a STRICT constraint
Add variables plpgsql.extra_warnings and plpgsql.extra_errors to enable additional PL/pgSQL warnings and errors
Currently only warnings/errors about shadowed variables are available.
libpq:
Make libpq's PQconndefaults() function ignore invalid service files
Previously it returned NULL if an incorrect service file was encountered.
Accept TLS protocol versions beyond TLSv1 in libpq
Client Applications:
Add createuser option -g to specify role membership (Chistopher Browne)
Add vacuumdb option --analyze-in-stages to analyze in stages of increasing granularity
This allows minimal statistics to be created quickly.
Make pg_resetxlog with option -n output current and potentially changed values
Make initdb throw error for incorrect locale settings, rather than silently falling back to a default choice
Make pg_ctl return exit code 4 for an inaccessible data directory
This behavior more closely matches the Linux Standard Base (LSB) Core Specification.
On Windows, ensure that a non-absolute -D path specification is interpreted relative to pg_ctl's current directory
Previously it would be interpreted relative to whichever directory the underlying Windows service was started in.
Allow sizeof() in ECPG C array definitions
Make ECPG properly handle nesting of C-style comments in both C and SQL text
psql:
Suppress "No rows" output in psql expanded mode when the footer is disabled
Allow Control-C to abort psql when it's hung at connection startup
Backslash Commands:
Make psql's \db+ show tablespace options
Make \do+ display the functions that implement the operators
Make \d+ output an OID line only if an oid column exists in the table
Previously, the presence or absence of an oid column was always reported.
Make \d show disabled system triggers
Previously, if you disabled all triggers, only user triggers would show as disabled.
Fix \copy to no longer require a space between stdin and a semicolon
Output the row count at the end of \copy, just like COPY already did
Fix \conninfo to display the server's IP address for connections using hostaddr
Previously \conninfo could not display the server's IP address in such cases.
Show the SSL protocol version in \conninfo
Add tab completion for \pset
Allow \pset with no arguments to show all settings
Make \s display the name of the history file it wrote without converting it to an absolute path
The code previously attempted to convert a relative file name to an absolute path for display, but frequently got it wrong.
pg_dump:
Allow pg_restore options -I, -P, -T and -n to be specified multiple times
This allows multiple objects to be restored in one operation
Optionally add IF EXISTS clauses to the DROP commands emitted when removing old objects during a restore
This change prevents unnecessary errors when removing old objects. The new --if-exists option for pg_dump, pg_dumpall, and pg_restore is only available when --clean is also specified
pg_basebackup:
Add pg_basebackup option --xlogdir to specify the pg_xlog directory location
Allow pg_basebackup to relocate tablespaces in the backup copy
This is particularly useful for using pg_basebackup on the same machine as the primary.
Allow network-stream base backups to be throttled
This can be controlled with the pg_basebackup --max-rate parameter.
Source Code:
Improve the way tuples are frozen to preserve forensic information
This change removes the main objection to freezing tuples as soon as possible. Code that inspects tuple flag bits will need to be modified.
No longer require function prototypes for functions marked with the PG_FUNCTION_INFO_V1 macro
This change eliminates the need to write boilerplate prototypes. Note that the PG_FUNCTION_INFO_V1 macro must appear before the corresponding function definition to avoid compiler warnings.
Remove SnapshotNow and HeapTupleSatisfiesNow()
All existing uses have been switched to more appropriate snapshot types. Catalog scans now use MVCC snapshots.
Add an API to allow memory allocations over one gigabyte
Add psprintf() to simplify memory allocation during string composition
Support printf() size modifier z to print size_t values
Change API of appendStringInfoVA() to better use vsnprintf()
Allow new types of external toast datums to be created
Add single-reader, single-writer, lightweight shared message queue
Improve spinlock speed on x86_64 CPUs
Remove spinlock support for unsupported platforms SINIX, Sun3, and NS32K
Remove IRIX port
Reduce the number of semaphores required by --disable-spinlocks builds
Rewrite duplicate_oids Unix shell script in Perl
Add Test Anything Protocol (TAP) tests for client programs
Currently, these tests are run by make check-world only if the --enable-tap-tests option was given to configure. This might become the default behavior in some future release.
Add make targets check-tests and installcheck-tests, which allow selection of individual tests to be run
Remove maintainer-check makefile rule
The default build rules now include all the formerly-optional tests.
Improve support for VPATH builds of PGXS modules
Upgrade to Autoconf 2.69
Add a configure flag that appends custom text to the PG_VERSION string
This is useful for packagers building custom binaries.
Improve DocBook XML validity
Fix various minor security and sanity issues reported by the Coverity scanner
Improve detection of invalid memory usage when testing PostgreSQL with Valgrind
Improve sample Emacs configuration file emacs.samples
Also add .dir-locals.el to the top of the source tree.
Allow pgindent to accept a command-line list of typedefs
Make pgindent smarter about blank lines around preprocessor conditionals
Avoid most uses of dlltool in Cygwin and Mingw builds
Support client-only installs in MSVC (Windows) builds
Additional Modules:
Add pg_prewarm extension to preload relation data into the shared buffer cache at server start
This allows reaching full operating performance more quickly.
Add UUID random number generator gen_random_uuid() to pgcrypto
This allows creation of version 4 UUIDs without requiring installation of uuid-ossp.
Allow uuid-ossp to work with the BSD or e2fsprogs UUID libraries, not only the OSSP UUID library
This improves the uuid-ossp module's portability since it no longer has to have the increasingly-obsolete OSSP library. The module's name is now rather a misnomer, but we won't change it.
Add option to auto_explain to include trigger execution time
Fix pgstattuple to not report rows from uncommitted transactions as dead
Make pgstattuple functions use regclass-type arguments
While text-type arguments are still supported, they may be removed in a future major release.
Improve consistency of pgrowlocks output to honor snapshot rules more consistently
Improve pg_trgm's choice of trigrams for indexed regular expression searches
This change discourages use of trigrams containing whitespace, which are usually less selective.
Allow pg_xlogdump to report a live log stream with --follow
Store cube data more compactly
Existing data must be dumped/restored to use the new format. The old format can still be read.
Reduce vacuumlo client-side memory usage by using a cursor
Dramatically reduce memory consumption in pg_upgrade
Pass pg_upgrade's user name (-U) option to generated analyze scripts
pgbench:
Remove line length limit for pgbench scripts
The previous line limit was BUFSIZ
Add long option names to pgbench
Add pgbench option --rate to control the transaction rate
Add pgbench option --progress to print periodic progress reports
pg_stat_statements:
Make pg_stat_statements use a file, rather than shared memory, for query text storage
This removes the previous limitation on query text length, and allows a higher number of unique statements to be tracked by default
Allow reporting of pg_stat_statements's internal query hash identifier
Add the ability to retrieve all pg_stat_statements information except the query text
This allows monitoring tools to fetch query text only for just-created entries, improving performance during repeated querying of the statistics
Make pg_stat_statements ignore DEALLOCATE commands
It already ignored PREPARE, as well as planning time in general, so this seems more consistent
Save the statistics file into $PGDATA/pg_stat at server shutdown, rather than $PGDATA/global

New in PostgreSQL 9.4.0 Beta 3 (Oct 9, 2014)

New in PostgreSQL 9.4.0 Beta 2 (Jul 31, 2014)

New in PostgreSQL 9.3.5 (Jul 25, 2014)

In pg_upgrade, remove pg_multixact files left behind by initdb:
If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed.
Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns:
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
Protect against torn pages when deleting GIN list pages:
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
Don't clear the right-link of a GiST index page while replaying updates from WAL:
This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
Fix corner-case infinite loop during insertion into an SP-GiST text index
Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator
Fix wraparound handling for pg_multixact/members
Truncate pg_multixact during checkpoints, not during VACUUM:
This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash.
Fix possible inconsistency of all-visible flags after WAL recovery
Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages
Fix race condition when updating a tuple concurrently locked by another process
Fix "could not find pathkey item to sort" planner failures with UNION ALL over subqueries reading from tables with inheritance children
Don't assume a subquery's output is unique if there's a set-returning function in its targetlist:
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
Improve planner to drop constant-NULL inputs of AND/OR when possible:
This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced.
Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent:
This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations.
Fix handling of nested JSON objects in json_populate_recordset() and friends:
A nested JSON object could result in previous fields of the parent object not being shown in the output.
Fix identification of input type category in to_json() and friends:
This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well.
Fix failure to detoast fields in composite elements of structured types:
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes
Fix possible crash when invoking a user-defined function while rewinding a cursor
Fix query-lifespan memory leak while evaluating the arguments for a function in FROM
Fix session-lifespan memory leaks in regular-expression processing
Fix data encoding error in hungarian.stop
Prevent foreign tables from being created with OIDS when default_with_oids is true
Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction:
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
Clear pg_stat_activity.xact_start during PREPARE TRANSACTION:
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
Fix REASSIGN OWNED to not fail for text search objects
Prevent pg_class.relminmxid values from going backwards during VACUUM FULL
Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace:
This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well.
Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification
Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns
Block signals during postmaster startup:
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses:
Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.
Allow the root user to use postgres -C variable and postgres --describe-config:
The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios.
Secure Unix-domain sockets of temporary postmasters started during make check:
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
Fix tablespace creation WAL replay to work on Windows
Fix detection of socket creation failures on Windows
On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file:
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
Properly quote executable path names on Windows:
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it:
libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as "lost synchronization with server"). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints.
Ensure that LDAP lookup attempts in libpq time out as intended
Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes
Fix pg_dump to cope with a materialized view that depends on a table's primary key:
This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view.
Fix parsing of pg_dumpall's -i switch
Fix pg_restore's processing of old-style large object comments:
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not:
This rare situation would manifest as "relation OID mismatch" errors.
In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server:
These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely.
Prevent contrib/auto_explain from changing the output of a user's EXPLAIN:
If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information.
Fix query-lifespan memory leak in contrib/dblink
In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning
Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap()
In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls:
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.

New in PostgreSQL 9.3.4 (Mar 21, 2014)

Fix WAL replay of locking an already-updated tuple:
This error caused updated rows to not be found by index scans, resulting in inconsistent query results depending on whether an index scan was used. Subsequent processing could result in constraint violations, since the previously updated row would not be found by later index searches, thus possibly allowing conflicting rows to be inserted. Since this error is in WAL replay, it would only manifest during crash recovery or on standby servers. The improperly-replayed case most commonly arises when a table row that is referenced by a foreign-key constraint is updated concurrently with creation of a referencing row.
Restore GIN metapages unconditionally to avoid torn-page risk:
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
Avoid race condition in checking transaction commit status during receipt of a NOTIFY message:
This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.
Allow materialized views to be referenced in UPDATE and DELETE commands:
Previously such queries failed with a complaint about not being able to lock rows in the materialized view.
Allow regular-expression operators to be terminated early by query cancel requests:
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time.
Remove incorrect code that tried to allow OVERLAPS with single-element row arguments:
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
Avoid getting more than AccessShareLock when de-parsing a rule or view:
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
Improve performance of index endpoint probes during planning:
This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.
Remove the correct per-database statistics file during DROP DATABASE:
This fix prevents a permanent leak of statistics file space. Users who have done many DROP DATABASE commands since upgrading to PostgreSQL 9.3 may wish to check their statistics directory and delete statistics files that do not correspond to any existing database. Please note that db_0.stat should not be removed.
Fix walsender ping logic to avoid inappropriate disconnects under continuous load:
walsender failed to send ping messages to the client if it was constantly busy sending WAL data; but it expected to see ping responses despite that, and would therefore disconnect once wal_sender_timeout elapsed.
Add read-only data_checksums parameter to display whether page checksums are enabled:
Without this parameter, determining the state of checksum processing was difficult.
Prevent interrupts while reporting non-ERROR messages:
This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems.
Fix tracking of psql script line numbers during \copy from out-of-line data:
\copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file.
Fix contrib/postgres_fdw to handle multiple join conditions properly:
This oversight could result in sending WHERE clauses to the remote server for execution even though the clauses are not known to have the same semantics on the remote server (for example, clauses that use non-built-in operators). The query might succeed anyway, but it could also fail with errors from the remote server, or worse give silently wrong answers.
Use non-default selectivity estimates for value IN (list) and value operator ANY (array) expressions when the righthand side is a stable expression
Fix walsender's failure to shut down cleanly when client is pg_receivexlog
Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery
Fix test to see if hot standby connections can be allowed immediately after a crash
Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases
Prevent intermittent "could not reserve shared memory region" failures on recent Windows versions
Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.

New in PostgreSQL 9.3.3 (Feb 21, 2014)

Changes:
Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060)
Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061)
Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062)
Prevent buffer overrun with long datetime strings (Noah Misch)
The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063)
Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064)
Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065)
Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)
There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067)
Rework tuple freezing protocol (Álvaro Herrera, Andres Freund)
The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough.
Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.)
Create separate GUC parameters to control multixact freezing (Álvaro Herrera)
9.3 requires multixact tuple labels to be frozen before they grow too old, in the same fashion as plain transaction ID labels have been frozen for some time. Previously, the transaction ID freezing parameters were used for multixact IDs too; but since the consumption rates of transaction IDs and multixact IDs can be quite different, this did not work very well. Introduce new settings vacuum_multixact_freeze_min_age, vacuum_multixact_freeze_table_age, and autovacuum_multixact_freeze_max_age to control when to freeze multixacts.
Account for remote row locks propagated by local updates (Álvaro Herrera)
If a row was locked by transaction A, and transaction B updated it, the new version of the row created by B would be locked by A, yet visible only to B. If transaction B then again updated the row, A's lock wouldn't get checked, thus possibly allowing B to complete when it shouldn't. This case is new in 9.3 since prior versions did not have any types of row locking that would permit another transaction to update the row at all.
This oversight could allow referential integrity checks to give false positives (for instance, allow deletes that should have been rejected). Applications using the new commands SELECT FOR KEY SHARE and SELECT FOR NO KEY UPDATE might also have suffered locking failures of this kind.
Prevent "forgetting" valid row locks when one of several holders of a row lock aborts (Álvaro Herrera)
This was yet another mechanism by which a shared row lock could be lost, thus possibly allowing updates that should have been prevented by foreign-key constraints.
Fix incorrect logic during update chain locking (Álvaro Herrera)
This mistake could result in spurious "could not serialize access due to concurrent update" errors in REPEATABLE READ and SERIALIZABLE transaction isolation modes.
Handle wraparound correctly during extension or truncation of pg_multixact/members (Andres Freund, Álvaro Herrera)
Fix handling of 5-digit filenames in pg_multixact/members (Álvaro Herrera)
As of 9.3, these names can be more than 4 digits, but the directory cleanup code ignored such files.
Improve performance of multixact cache code (Álvaro Herrera)
Optimize updating a row that's already locked by the same transaction (Andres Freund, Álvaro Herrera)
This fixes a performance regression from pre-9.3 versions when doing SELECT FOR UPDATE followed by UPDATE/DELETE.
During archive recovery, prefer highest timeline number when WAL segments with the same ID are present in both the archive and pg_xlog/ (Kyotaro Horiguchi)
Previously, not-yet-archived segments could get ignored during recovery. This reverts an undesirable behavioral change in 9.3.0 back to the way things worked pre-9.3.
Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)
In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as "PANIC: WAL contains references to invalid pages" were also possible.
Fix WAL logging of visibility map changes (Heikki Linnakangas)
Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)
This error could result in "PANIC: WAL contains references to invalid pages" failures.
Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)
The previous coding risked index corruption in the event of a partial-page write during a system crash.
When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)
Ensure walreceiver sends hot-standby feedback messages on time even when there is a continuous stream of data (Andres Freund, Amit Kapila)
Prevent timeout interrupts from taking control away from mainline code unless ImmediateInterruptOK is set (Andres Freund, Tom Lane)
This is a serious issue for any application making use of statement timeouts, as it could cause all manner of strange failures after a timeout occurred. We have seen reports of "stuck" spinlocks, ERRORs being unexpectedly promoted to PANICs, unkillable backends, and other misbehaviors.
Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)
Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
Fix possible crashes from using ereport() too early during server startup (Tom Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
Fix parsing of Unicode literals and identifiers just before the end of a command string or function body (Tom Lane)
Allow keywords that are type names to be used in lists of roles (Stephen Frost)
A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.
Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane)
Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
Fix mishandling of WHERE conditions pulled up from a LATERAL subquery (Tom Lane)
The typical symptom of this bug was a "JOIN qualification cannot refer to other relations" error, though subtle logic errors in created plans seem possible as well.
Disallow LATERAL references to the target table of an UPDATE/DELETE (Tom Lane)
While this might be allowed in some future release, it was unintentional in 9.3, and didn't work quite right anyway.
Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane)
Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s).
Fix ANALYZE to not fail on a column that's a domain over a range type (Tom Lane)
Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
Fix support for extensions containing event triggers (Tom Lane)
Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
Fix memory leakage in JSON functions (Craig Ringer)
Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan)
Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)
Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas)
Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky.
Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander)
The previous coding might attempt to do catalog access when it shouldn't.
Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
Fix *-qualification of named parameters in SQL-language functions (Tom Lane)
Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much.
Fix misbehavior of PQhost() on Windows (Fujii Masao)
It should return localhost if no host has been specified.
Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane)
Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander)
Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)
Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)
Fix misaligned descriptors in ecpg (MauMau)
In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
Fix contrib/pgbench's progress logging to avoid overflow when the scale factor is large (Tatsuo Ishii)
Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi)
Improve lost-connection error handling in contrib/postgres_fdw (Tom Lane)
Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
Enable building with Visual Studio 2013 (Brar Piening)
Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.

New in PostgreSQL 9.3.2 (Dec 6, 2013)

Changes:
Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)
Fix multiple bugs in MultiXactId freezing (Andres Freund, Álvaro Herrera)
Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)
Fix multiple bugs in update chain traversal (Andres Freund, Álvaro Herrera)
Fix dangling-pointer problem in fast-path locking (Tom Lane)
Fix assorted race conditions in timeout management (Tom Lane)
Fix full-table-vacuum request mechanism for MultiXactIds (Andres Freund)
Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)
Fix "unexpected spgdoinsert() failure" error during SP-GiST index creation (Teodor Sigaev)
Fix assorted bugs in materialized views (Kevin Grittner, Andres Freund)
Re-allow duplicate table aliases if they're within aliased JOINs (Tom Lane)
Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)
Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane)
Fix planner crash with whole-row reference to a subquery (Tom Lane)
Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane)
Fix premature deletion of temporary files (Andres Freund)
Fix memory leaks when reloading configuration files (Heikki Linnakangas, Hari Babu)
Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane)
Allow default arguments and named-argument notation for window functions (Tom Lane)
Suppress trailing whitespace on each line when pretty-printing rules and views (Tom Lane)
Fix possible read past end of memory in rule printing (Peter Eisentraut)
Fix array slicing of int2vector and oidvector values (Tom Lane)
Return a valid JSON value when converting an empty hstore value to json (Oskari Saarenmaa)
Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)
Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)
Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)
Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)
Fix pg_isready to handle its -d option properly (Fabrízio de Royes Mello and Fujii Masao)
Fix parsing of WAL file names in pg_receivexlog (Heikki Linnakangas)
Report out-of-disk-space failures properly in pg_upgrade (Peter Eisentraut)
Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi)
Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)
Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)
Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.

New in PostgreSQL 9.3.1 (Oct 10, 2013)

New in PostgreSQL 9.3.0 (Sep 9, 2013)

New in PostgreSQL 9.3 RC 1 (Sep 4, 2013)

New in PostgreSQL 9.3 Beta 1 (May 13, 2013)

New in PostgreSQL 9.2.4 (Apr 4, 2013)

Changes:
Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi)
A connection request containing a database name that begins with "-" could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. (CVE-2013-1899)
Reset OpenSSL randomness state in each postmaster child process (Marko Kreen). This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900)
Make REPLICATION privilege checks test current user not authenticated user (Noah Misch)
An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. (CVE-2013-1901)
Fix GiST indexes to not use "fuzzy" geometric comparisons when it's not appropriate to do so (Alexander Korotkov). The core geometric types perform comparisons using "fuzzy" equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same.
Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane). These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.
Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane). These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.
Fix gist_point_consistent to handle fuzziness consistently (Alexander Korotkov)
Index scans on GiST indexes on point columns would sometimes yield results different from a sequential scan, because gist_point_consistent disagreed with the underlying operator code about whether to do comparisons exactly or fuzzily.
Fix buffer leak in WAL replay (Heikki Linnakangas). This bug could result in "incorrect local pin count" errors during replay, making recovery impossible.
Ensure we do crash recovery before entering archive recovery, if the database was not stopped cleanly and a recovery.conf file is present (Heikki Linnakangas, Kyotaro Horiguchi, Mitsumasa Kondo). This is needed to ensure that the database is consistent in certain scenarios, such as initializing a standby server with a filesystem snapshot from a running server.
Avoid deleting not-yet-archived WAL files during crash recovery (Heikki Linnakangas, Fujii Masao)
Fix race condition in DELETE RETURNING (Tom Lane). Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash.
Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)
Fix potential null-pointer dereference in regular expression compilation (Tom Lane)
Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane). This fixes misbehavior of some template patterns that should be locale-independent, but mishandled "I" and "i" in Turkish locales.
Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)
Fix SQL-language functions to be safely usable as support functions for range types (Tom Lane)
Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane). The session wound up not listening for notify events at all, though it surely should listen in this case.
Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane)
Fix performance issue in EXPLAIN (ANALYZE, TIMING OFF) (Pavel Stehule)
Remove useless "picksplit doesn't support secondary split" log messages (Josh Hansen, Tom Lane). This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.
Remove vestigial secondary-split support in gist_box_picksplit() (Tom Lane). Not only was this implementation of secondary-split not better than the default implementation, it's actually worse. So remove it and let the default code path handle the case.
Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)
Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane)
Fix pg_dumpall to handle database names containing "=" correctly (Heikki Linnakangas)
Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas). Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian). Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing.
In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas)
Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas)
Fix contrib/dblink to handle inconsistent settings of DateStyle or IntervalStyle safely (Daniel Farina, Tom Lane). Previously, if the remote server had different settings of these parameters, ambiguous dates might be read incorrectly. This fix ensures that datetime and interval columns fetched by a dblink query will be interpreted correctly. Note however that inconsistent settings are still risky, since literal values appearing in SQL commands sent to the remote server might be interpreted differently than they would be locally.
Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane). Previously it returned NaN due to internal division by zero.
Enable building PostgreSQL with Microsoft Visual Studio 2012 (Brar Piening, Noah Misch)
Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places. Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.

New in PostgreSQL 9.2.3 (Feb 7, 2013)

Prevent execution of enum_recv from SQL (Tom Lane)
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. (CVE-2013-0255)
Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund)
Fix detection of end-of-backup point when no actual redo work is required (Heikki Linnakangas)
This mistake could result in incorrect "WAL ends before end of online backup" errors.
Update minimum recovery point when truncating a relation file (Heikki Linnakangas)
Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.
Fix recycling of WAL segments after changing recovery target timeline (Heikki Linnakangas)
Properly restore timeline history files from archive on cascading standby servers (Heikki Linnakangas)
Fix lock conflict detection on hot-standby servers (Andres Freund, Robert Haas)
Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs)
The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data.
Prevent recovery pause feature from pausing before users can connect (Tom Lane)
Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane)
Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck)
Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives.
Improve performance of SPI_execute and related functions, thereby improving PL/pgSQL's EXECUTE (Heikki Linnakangas, Tom Lane)
Remove some data-copying overhead that was added in 9.2 as a consequence of revisions in the plan caching mechanism. This eliminates a performance regression compared to 9.1, and also saves memory, especially when the query string to be executed contains many SQL statements.
A side benefit is that multi-statement query strings are now processed fully serially, that is we complete execution of earlier statements before running parse analysis and planning on the following ones. This eliminates a long-standing issue, in that DDL that should affect the behavior of a later statement will now behave as expected.
Restore pre-9.2 cost estimates for index usage (Tom Lane)
An ill-considered change of a fudge factor led to undesirably high cost estimates for use of very large indexes.
Fix intermittent crash in DROP INDEX CONCURRENTLY (Tom Lane)
Fix potential corruption of shared-memory lock table during CREATE/DROP INDEX CONCURRENTLY (Tom Lane)
Fix COPY's multiple-tuple-insertion code for the case of a tuple larger than page size minus fillfactor (Heikki Linnakangas)
The previous coding could get into an infinite loop.
Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane)
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
Prevent DROP OWNED from trying to drop whole databases or tablespaces (Álvaro Herrera)
For safety, ownership of these objects must be reassigned, not dropped.
Fix error in vacuum_freeze_table_age implementation (Andres Freund)
The main consequence of this mistake is that lowering vacuum_freeze_min_age would cause full-table vacuuming scans to occur much more frequently than intended.
Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane)
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis)
Fix some bugs associated with privileges on datatypes (Tom Lane)
There were some issues with default privileges for types, and pg_dump failed to dump such privileges at all.
Fix failure to ignore leftover temporary tables after a server crash (Tom Lane)
Fix failure to rotate postmaster log files for size reasons on Windows (Jeff Janes, Heikki Linnakangas)
Reject out-of-range dates in to_date() (Hitoshi Harada)
Fix pg_extension_config_dump() to handle extension-update cases properly (Tom Lane)
This function will now replace any existing entry for the target table, making it usable in extension update scripts.
Fix PL/pgSQL's reporting of plan-time errors in possibly-simple expressions (Tom Lane)
The previous coding resulted in sometimes omitting the first line in the CONTEXT traceback for the error.
Fix PL/Python's handling of functions used as triggers on multiple tables (Andres Freund)
Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch)
This bug affected psql and some other client programs.
Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong)
Fix possible error if a relation file is removed while pg_basebackup is running (Heikki Linnakangas)
Tolerate timeline switches while pg_basebackup -X fetch is backing up a standby server (Heikki Linnakangas)
Make pg_dump exclude data of unlogged tables when running on a hot-standby server (Magnus Hagander)
This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically.
Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian)
Fix pg_upgrade's -O/-o options (Bruce Momjian)
Fix one-byte buffer overrun in libpq's PQprintTuples (Xi Wang)
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
Make ecpglib use translated messages properly (Chen Huajun)
Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing)
Include our version of isinf() in libecpg if it's not provided by the system (Jiang Guiqing)
Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg)
Ensure Windows build number increases over time (Magnus Hagander)
Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi)
Add new timezone abbreviation FET (Tom Lane)

New in PostgreSQL 9.2.2 (Dec 7, 2012)

Changes:
Fix multiple bugs associated with CREATE/DROP INDEX CONCURRENTLY
An error introduced while adding DROP INDEX CONCURRENTLY allowed incorrect indexing decisions to be made during the initial phase of CREATE INDEX CONCURRENTLY; so that indexes built by that command could be corrupt. It is recommended that indexes built in 9.2.X with CREATE INDEX CONCURRENTLY be rebuilt after applying this update.
In addition, fix CREATE/DROP INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus again resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
Also fix DROP INDEX CONCURRENTLY to not disable insertions into the target index until all queries using it are done.
Also fix misbehavior if DROP INDEX CONCURRENTLY is canceled: the previous coding could leave an un-droppable index behind.
Correct predicate locking for DROP INDEX CONCURRENTLY
Previously, SSI predicate locks were processed at the wrong time, possibly leading to incorrect behavior of serializable transactions executing in parallel with the DROP.
Fix buffer locking during WAL replay
The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures.
Fix an error in WAL generation logic for GIN indexes
This could result in index corruption, if a torn-page failure occurred.
Fix an error in WAL replay logic for SP-GiST indexes
This could result in index corruption after a crash, or on a standby server.
Fix incorrect detection of end-of-base-backup location during WAL recovery
This mistake allowed hot standby mode to start up before the database reaches a consistent state.
Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running
This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY.
Avoid bogus "out-of-sequence timeline ID" errors in standby mode
Prevent the postmaster from launching new child processes after it's received a shutdown signal
This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action.
Fix the syslogger process to not fail when log_rotation_age exceeds 2^31 milliseconds (about 25 days)
Fix WaitLatch() to return promptly when the requested timeout expires
With the previous coding, a steady stream of non-wait-terminating interrupts could delay return from WaitLatch() indefinitely. This has been shown to be a problem for the autovacuum launcher process, and might cause trouble elsewhere as well.
Avoid corruption of internal hash tables when out of memory
Prevent file descriptors for dropped tables from being held open past transaction end
This should reduce problems with long-since-dropped tables continuing to occupy disk space.
Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch
Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors.
Avoid planner crash with joins to unflattened subqueries
Fix planning of non-strict equivalence clauses above outer joins
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. 9.2 showed this type of error in more cases than previous releases, but the basic bug has been there for a long time.
Fix SELECT DISTINCT with index-optimized MIN/MAX on an inheritance tree
The planner would fail with "failed to re-find MinMaxAggInfo record" given this combination of factors.
Make sure the planner sees implicit and explicit casts as equivalent for all purposes, except in the minority of cases where there's actually a semantic difference
Include join clauses when considering whether partial indexes can be used for a query
A strict join clause can be sufficient to establish an x IS NOT NULL predicate, for example. This fixes a planner regression in 9.2, since previous versions could make comparable deductions.
Limit growth of planning time when there are many indexable join clauses for the same index
Improve planner's ability to prove exclusion constraints from equivalence classes
Fix partial-row matching in hashed subplans to handle cross-type cases correctly
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
Fix btree mark/restore functions to handle array keys
This oversight could result in wrong answers from merge joins whose inner side is an index scan using an indexed_column = ANY(array) condition.
Revert patch for taking fewer snapshots
The 9.2 change to reduce the number of snapshots taken during query execution led to some anomalous behaviors not seen in previous releases, because execution would proceed with a snapshot acquired before locking the tables used by the query. Thus, for example, a query would not be guaranteed to see updates committed by a preceding transaction even if that transaction had exclusive lock. We'll probably revisit this in future releases, but meanwhile put it back the way it was before 9.2.
Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger
In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
Fix ALTER COLUMN TYPE to handle inherited check constraints properly
This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.
Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema
Handle CREATE TABLE AS EXECUTE correctly in extended query protocol
Don't modify the input parse tree in DROP RULE IF NOT EXISTS and DROP TRIGGER IF NOT EXISTS
This mistake would cause errors if a cached statement of one of these types was re-executed.
Fix REASSIGN OWNED to handle grants on tablespaces
Ignore incorrect pg_attribute entries for system columns for views
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly
Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query
Prevent platform-dependent failures when dividing the minimum possible integer value by -1
Fix possible access past end of string in date parsing
Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby
While this mistake had no particular impact on PostgreSQL itself, it was bad for applications that rely on txid_current() and related functions: the TXID value would appear to go backwards.
Fix pg_terminate_backend() and pg_cancel_backend() to not throw error for a non-existent target process
This case already worked as intended when called by a superuser, but not so much when called by ordinary users.
Fix display of pg_stat_replication.sync_state at a page boundary
Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
Fix memory leaks when sending composite column values to the client
Save some cycles by not searching for subtransaction locks at commit
In a transaction holding many exclusive locks, this useless activity could be quite costly.
Make pg_ctl more robust about reading the postmaster.pid file
This fixes race conditions and possible file descriptor leakage.
Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS
Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive
This fixes an undesirable inconsistency between the meanings of --data-only and --section=data, and also fixes dumping of sequences that are marked as extension configuration tables.
Fix pg_dump's handling of DROP DATABASE commands in --clean mode
Beginning in 9.2.0, pg_dump --clean would issue a DROP DATABASE command, which was either useless or dangerous depending on the usage scenario. It no longer does that. This change also fixes the combination of --clean and --create to work sensibly, i.e., emit DROP DATABASE then CREATE DATABASE before reconnecting to the target database.
Fix pg_dump for views with circular dependencies and no relation options
The previous fix to dump relation options when a view is involved in a circular dependency didn't work right for the case that the view has no options; it emitted ALTER VIEW foo SET () which is invalid syntax.
Fix bugs in the restore.sql script emitted by pg_dump in tar output format
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
Fix pg_restore to accept POSIX-conformant tar files
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
Fix tar files emitted by pg_basebackup to be POSIX conformant
Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly
Fix ecpg's processing of nested structure pointer variables
Fix ecpg's ecpg_get_data function to handle arrays properly
Prevent pg_upgrade from trying to process TOAST tables for system catalogs
This fixes an error seen when the information_schema has been dropped and recreated. Other failures were also possible.
Improve pg_upgrade performance by setting synchronous_commit to off in the new cluster
Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages
Work around unportable behavior of malloc(0) and realloc(NULL, 0)
On platforms where these calls return NULL, some code mistakenly thought that meant out-of-memory. This is known to have broken pg_dump for databases containing no user-defined aggregates. There might be other cases as well.
Ensure that make install for an extension creates the extension installation directory
Previously, this step was missed if MODULEDIR was set in the extension's Makefile.
Fix pgxs support for building loadable modules on AIX
Building modules outside the original source tree didn't work on AIX.
Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.

New in PostgreSQL 9.2.1 (Sep 24, 2012)

Changes:
Fix persistence marking of shared buffers during WAL replay (Jeff Davis) This mistake can result in buffers not being written out during checkpoints, resulting in data corruption if the server later crashes without ever having written those buffers. Corruption can occur on any server following crash recovery, but it is significantly more likely to occur on standby slave servers since those perform much more WAL replay. There is a low probability of corruption of btree and GIN indexes. There is a much higher probability of corruption of table "visibility maps", which might lead to wrong answers from index-only scans. Table data proper cannot be corrupted by this bug. While no index corruption due to this bug is known to have occurred in the field, as a precautionary measure it is recommended that production installations REINDEX all btree and GIN indexes at a convenient time after upgrading to 9.2.1. Also, it is recommended to perform a VACUUM of all tables while having vacuum_freeze_table_age set to zero. This will fix any incorrect visibility map data. vacuum_cost_delay can be adjusted to reduce the performance impact of vacuuming, while causing it to take longer to finish.
Fix possible incorrect sorting of output from queries involving WHERE indexed_column IN (list_of_values) (Tom Lane)
Fix planner failure for queries involving GROUP BY expressions along with window functions and aggregates (Tom Lane)
Fix planner's assignment of executor parameters (Tom Lane) This error could result in wrong answers from queries that scan the same WITH subquery multiple times.
Improve planner's handling of join conditions in index scans (Tom Lane)
Improve selectivity estimation for text search queries involving prefixes, i.e. word:* patterns (Tom Lane)
Fix delayed recognition of permissions changes (Tom Lane) A command that needed no locks other than ones its transaction already had might fail to notice a concurrent GRANT or REVOKE that committed since the start of its transaction.
Fix ANALYZE to not fail when a column is a domain over an array type (Tom Lane)
Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane)
Work around possible misoptimization in PL/Perl (Tom Lane) Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error.
Remove unnecessary dependency on pg_config from pg_upgrade (Peter Eisentraut)
Update time zone data files to tzdata release 2012f for DST law changes in Fiji

New in PostgreSQL 9.2.0 (Sep 10, 2012)

New in PostgreSQL 9.2 RC 1 (Aug 30, 2012)

New in PostgreSQL 9.1.5 (Aug 18, 2012)

Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane) xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489)
Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut) libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it.
Prevent too-early recycling of btree index pages (Noah Misch) When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.
Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane) If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step.
Fix race condition in enum-type value comparisons (Robert Haas, Tom Lane) Comparisons could fail when encountering an enum value added since the current query started.
Fix txid_current() to report the correct epoch when not in hot standby (Heikki Linnakangas) This fixes a regression introduced in the previous minor release.
Prevent selection of unsuitable replication connections as the synchronous standby (Fujii Masao) The master might improperly choose pseudo-servers such as pg_receivexlog or pg_basebackup as the synchronous standby, and then wait indefinitely for them.
Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund) This mistake led to failures reported as "out-of-order XID insertion in KnownAssignedXids".
Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr)
Fix timeout handling in walsender processes (Tom Lane) WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen.
Wake walsenders after each background flush by walwriter (Andres Freund, Simon Riggs) This greatly reduces replication delay when the workload contains only asynchronously-committed transactions.
Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane) After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like "Could not read from file "pg_notify/nnnn" at offset nnnnn: Success".
Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane) The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.
Improve logging of autovacuum cancels (Robert Haas)
Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)
Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane)
Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)
Fix dependencies generated during ALTER TABLE ... ADD CONSTRAINT USING INDEX (Tom Lane) This command left behind a redundant pg_depend entry for the index, which could confuse later operations, notably ALTER TABLE ... ALTER COLUMN TYPE on one of the indexed columns.
Fix REASSIGN OWNED to work on extensions (Alvaro Herrera)
Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane) This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.
Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)
Fix planner to pass correct collation to operator selectivity estimators (Tom Lane) This was not previously required by any core selectivity estimation function, but third-party code might need it.
Fix extraction of common prefixes from regular expressions (Tom Lane) The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.
Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane)
Fix pg_dump to better handle views containing partial GROUP BY lists (Tom Lane) A view that lists only a primary key column in GROUP BY, but uses other table columns as if they were grouped, gets marked as depending on the primary key. Improper handling of such primary key dependencies in pg_dump resulted in poorly-ordered dumps, which at best would be inefficient to restore and at worst could result in outright failure of a parallel pg_restore run.
In PL/Perl, avoid setting UTF8 flag when in SQL_ASCII encoding (Alex Hunsaker, Kyotaro Horiguchi, Alvaro Herrera)
Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski) This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error.
Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski)
Report errors properly in contrib/xml2's xslt_process() (Tom Lane)
Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau

New in PostgreSQL 9.1.4 (Jun 4, 2012)

Changes:
Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer)
If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143)
Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane)
Applying such attributes to a call handler could crash the server. (CVE-2012-2655)
Make contrib/citext's upgrade script fix collations of citext arrays and domains over citext (Tom Lane)
Release 9.1.2 provided a fix for collations of citext columns and indexes in databases upgraded or reloaded from pre-9.1 installations, but that fix was incomplete: it neglected to handle arrays and domains over citext. This release extends the module's upgrade script to handle these cases. As before, if you have already run the upgrade script, you'll need to run the collation update commands by hand instead. See the 9.1.2 release notes for more information about doing this.
Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane)
Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.
Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane)
This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.
Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter)
Fix memory copying bug in to_tsquery() (Heikki Linnakangas)
Ensure txid_current() reports the correct epoch when executed in hot standby (Simon Riggs)
Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane)
This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should.
Fix planning of UNION ALL subqueries with output columns that are not simple variables (Tom Lane)
Planning of such cases got noticeably worse in 9.1 as a result of a misguided fix for "MergeAppend child's targetlist doesn't match MergeAppend" errors. Revert that fix and do it another way.
Fix slow session startup when pg_attribute is very large (Tom Lane)
If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.
Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)
A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.
Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning (Tom Lane)
This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.
Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)
Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.
Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane)
A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4.
Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses (Tom Lane)
Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks (Tom Lane)
Historically, PREPARE TRANSACTION has simply ignored any session-level advisory locks the session holds, but this case was accidentally broken in 9.1.
Fix truncation of unlogged tables (Robert Haas)
Ignore missing schemas during non-interactive assignments of search_path (Tom Lane)
This re-aligns 9.1's behavior with that of older branches. Previously 9.1 would throw an error for nonexistent schemas mentioned in search_path settings obtained from places such as ALTER DATABASE SET.
Fix bugs with temporary or transient tables used in extension scripts (Tom Lane)
This includes cases such as a rewriting ALTER TABLE within an extension update script, since that uses a transient table behind the scenes.
Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas)
Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.
Fix logging collector to not lose log coherency under high load (Andrew Dunstan)
The collector previously could fail to reassemble large messages if it got too busy.
Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane)
Fix "too many LWLocks taken" failure in GiST indexes (Heikki Linnakangas)
Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane)
Correctly detect SSI conflicts of prepared transactions after a crash (Dan Ports)
Avoid synchronous replication delay when committing a transaction that only modified temporary tables (Heikki Linnakangas)
In such a case the transaction's commit record need not be flushed to standby servers, but some of the code didn't know that and waited for it to happen anyway.
Fix error handling in pg_basebackup (Thomas Ogrisegg, Fujii Masao)
Fix walsender to not go into a busy loop if connection is terminated (Fujii Masao)
Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway)
Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane)
Ensure that PL/Perl package-qualifies the _TD variable (Alex Hunsaker)
This bug caused trigger invocations to fail when they are nested within a function invocation that changes the current package.
Fix PL/Python functions returning composite types to accept a string for their result value (Jan Urbanski)
This case was accidentally broken by the 9.1 additions to allow a composite result value to be supplied in other formats, such as dictionaries.
Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut)
Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane)
pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.
Fix memory and file descriptor leaks in pg_restore when reading a directory-format archive (Peter Eisentraut)
Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace (Bruce Momjian)
In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure (Peter Eisentraut)
Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error (Tom Lane)
Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi)
Fix contrib/vacuumlo to use multiple transactions when dropping many large objects (Tim Lewis, Robert Haas, Tom Lane)
This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option.
Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.

New in PostgreSQL 9.2 Beta 1 (May 15, 2012)

New in PostgreSQL 9.1.3 (Feb 27, 2012)

Changes:
Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas)
This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866)
Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas)
Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867)
Convert newlines to spaces in names written in pg_dump comments (Robert Haas)
pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868)
Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane)
An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.
Fix transient zeroing of shared buffers during WAL replay (Tom Lane)
The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be "invalid memory alloc request size".
Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking (Tom Lane)
A WITH clause containing INSERT/UPDATE/DELETE would crash if the parent UPDATE or DELETE command needed to be re-evaluated at one or more rows due to concurrent updates in READ COMMITTED mode.
Fix corner case in SSI transaction cleanup (Dan Ports)
When finishing up a read-write serializable transaction, a crash could occur if all remaining active serializable transactions are read-only.
Fix postmaster to attempt restart after a hot-standby crash (Tom Lane)
A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode.
Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows (Tom Lane)
This oversight could lead to "duplicate key value violates unique constraint" errors being reported against the toast table's index during one of these commands.
Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane)
Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions.
Support foreign data wrappers and foreign servers in REASSIGN OWNED (Alvaro Herrera)
This command failed with "unexpected classid" errors if it needed to change the ownership of any such objects.
Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas)
Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.
Fix "unsupported node type" error caused by COLLATE in an INSERT expression (Tom Lane)
Avoid crashing when we have problems deleting table files post-commit (Tom Lane)
Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database.
Recover from errors occurring during WAL replay of DROP TABLESPACE (Tom Lane)
Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space.
Fix race condition in logging AccessExclusiveLocks for hot standby (Simon Riggs)
Sometimes a lock would be logged as being held by "transaction zero". This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems.
Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane)
Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.
Prevent emitting misleading "consistent recovery state reached" log message at the beginning of crash recovery (Heikki Linnakangas)
Fix initial value of pg_stat_replication.replay_location (Fujii Masao)
Previously, the value shown would be wrong until at least one WAL record had been replayed.
Fix regular expression back-references with * attached (Tom Lane)
Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.
Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas)
A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.
Fix planner's ability to push down index-expression restrictions through UNION ALL (Tom Lane)
This type of optimization was inadvertently disabled by a fix for another problem in 9.1.2.
Fix planning of WITH clauses referenced in UPDATE/DELETE on an inherited table (Tom Lane)
This bug led to "could not find plan for CTE" failures.
Fix GIN cost estimation to handle column IN (...) index conditions (Marti Raudsepp)
This oversight would usually lead to crashes if such a condition could be used with a GIN index.
Prevent assertion failure when exiting a session with an open, failed transaction (Tom Lane)
This bug has no impact on normal builds with asserts not enabled.
Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane)
In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible.
Avoid double close of file handle in syslogger on Windows (MauMau)
Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.
Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane)
Certain operations would leak memory until the end of the current function.
Work around bug in perl's SvPVutf8() function (Andrew Dunstan)
This function crashes when handed a typeglob or certain read-only objects such as $^V. Make plperl avoid passing those to it.
In pg_dump, don't dump contents of an extension's configuration tables if the extension itself is not being dumped (Tom Lane)
Improve pg_dump's handling of inherited table columns (Tom Lane)
pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.
Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane)
Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.
Teach pg_upgrade to handle renaming of plpython's shared library (Bruce Momjian)
Upgrading a pre-9.1 database that included plpython would fail because of this oversight.
Allow pg_upgrade to process tables containing regclass columns (Bruce Momjian)
Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction.
Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file (Magnus Hagander)
This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null.
Fix some more field alignment issues in ecpg's SQLDA area (Zoltan Boszormenyi)
Allow AT option in ecpg DEALLOCATE statements (Michael Meskes)
The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case.
Do not use the variable name when defining a varchar structure in ecpg (Michael Meskes)
Fix contrib/auto_explain's JSON output mode to produce valid JSON (Andrew Dunstan)
The output used brackets at the top level, when it should have used braces.
Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.
Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv() (Marko Kreen)
These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.
Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot)
The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.
Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt)
This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan)
This prevents assorted scenarios wherein recent versions of gcc will produce creative results.
Allow use of threaded Python on FreeBSD (Chris Rees)
Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.
Allow MinGW builds to use standardly-named OpenSSL libraries (Tomasz Ostrowski)

New in PostgreSQL 9.1.2 (Dec 5, 2011)

Changes:
Fix bugs in information_schema.referential_constraints view (Tom Lane)
This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does.
Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
Make contrib/citext's upgrade script fix collations of citext columns and indexes (Tom Lane)
Existing citext columns and indexes aren't correctly marked as being of a collatable data type during pg_upgrade from a pre-9.1 server. That leads to operations on them failing with errors such as "could not determine which collation to use for string comparison". This change allows them to be fixed by the same script that upgrades the citext module into a proper 9.1 extension during CREATE EXTENSION citext FROM unpackaged.
If you have a previously-upgraded database that is suffering from this problem, and you already ran the CREATE EXTENSION command, you can manually run (as superuser) the UPDATE commands found at the end of SHAREDIR/extension/citext--unpackaged--1.0.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.)
Fix possible crash during UPDATE or DELETE that joins to the output of a scalar-returning function (Tom Lane)
A crash could only occur if the target row had been concurrently updated, so this problem surfaced only intermittently.
Fix incorrect replay of WAL records for GIN index updates (Tom Lane)
This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however.
Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane)
If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
Fix possible failures during hot standby startup (Simon Riggs)
Start hot standby faster when initial snapshot is incomplete (Simon Riggs)
Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
Track dependencies of functions on items used in parameter default expressions (Tom Lane)
Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended.
Fix incorrect management of placeholder variables in nestloop joins (Tom Lane)
This bug is known to lead to "variable not found in subplan target list" planner errors, and could possibly result in wrong query output when outer joins are involved.
Fix window functions that sort by expressions involving aggregates (Tom Lane)
Previously these could fail with "could not find pathkey item to sort" planner errors.
Fix "MergeAppend child's targetlist doesn't match MergeAppend" planner errors (Tom Lane)
Fix index matching for operators with both collatable and noncollatable inputs (Tom Lane)
In 9.1.0, an indexable operator that has a non-collatable left-hand input type and a collatable right-hand input type would not be recognized as matching the left-hand column's index. An example is the hstore ? text operator.
Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane)
Don't trust deferred-unique indexes for join removal (Tom Lane and Marti Raudsepp)
A deferred uniqueness constraint might not hold intra-transaction, so assuming that it does could give incorrect query results.
Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not (Heikki Linnakangas)
This change affects no core code, but might prevent crashes in add-on code that expects DatumGetInetP() to produce an unpacked datum as per usual convention.
Improve locale support in money type's input and output (Tom Lane)
Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas)
transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane)
For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
Fix IF EXISTS to work correctly in DROP OPERATOR FAMILY (Robert Haas)
Disallow dropping of an extension from within its own script (Tom Lane)
This prevents odd behavior in case of incorrect management of extension dependencies.
Don't mark auto-generated types as extension members (Robert Haas)
Relation rowtypes and automatically-generated array types do not need to have their own extension membership entries in pg_depend, and creating such entries complicates matters for extension upgrades.
Cope with invalid pre-existing search_path settings during CREATE EXTENSION (Tom Lane)
Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews)
While harmless in itself, on certain platforms this would result in annoying kernel log messages.
Prevent autovacuum transactions from running in serializable mode (Tom Lane)
Autovacuum formerly used the cluster-wide default transaction isolation level, but there is no need for it to use anything higher than READ COMMITTED, and using SERIALIZABLE could result in unnecessary delays for other processes.
Ensure walsender processes respond promptly to SIGTERM (Magnus Hagander)
Exclude postmaster.opts from base backups (Magnus Hagander)
Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane)
Formerly, these would not be displayed correctly in the pg_settings view.
Fix incorrect field alignment in ecpg's SQLDA area (Zoltan Boszormenyi)
Preserve blank lines within commands in psql's command history (Robert Haas)
The former behavior could cause problems if an empty line was removed from within a string literal, for example.
Avoid platform-specific infinite loop in pg_dump (Steve Singer)
Fix compression of plain-text output format in pg_dump (Adrian Klaver and Tom Lane)
pg_dump has historically understood -Z with no -F switch to mean that it should emit a gzip-compressed version of its plain text output. Restore that behavior.
Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane)
Fix missed quoting of foreign server names in pg_dump (Tom Lane)
Assorted fixes for pg_upgrade (Bruce Momjian)
Handle exclusion constraints correctly, avoid failures on Windows, don't complain about mismatched toast table names in 8.4 databases.
In PL/pgSQL, allow foreign tables to define row types (Alexander Soudakov)
Fix up conversions of PL/Perl functions' results (Alex Hunsaker and Tom Lane)
Restore the pre-9.1 behavior that PL/Perl functions returning void ignore the result value of their last Perl statement; 9.1.0 would throw an error if that statement returned a reference. Also, make sure it works to return a string value for a composite type, so long as the string meets the type's input format. In addition, throw errors for attempts to return Perl arrays or hashes when the function's declared result type is not an array or composite type, respectively. (Pre-9.1 versions rather uselessly returned strings like ARRAY(0x221a9a0) or HASH(0x221aa90) in such cases.)
Ensure PL/Perl strings are always correctly UTF8-encoded (Amit Khandekar and Alex Hunsaker)
Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
Correctly propagate SQLSTATE in PL/Python exceptions (Mika Eloranta and Jan Urbanski)
Do not install PL/Python extension files for Python major versions other than the one built against (Peter Eisentraut)
Change all the contrib extension script files to report a useful error message if they are fed to psql (Andrew Dunstan and Tom Lane)
This should help teach people about the new method of using CREATE EXTENSION to load these files. In most cases, sourcing the scripts directly would fail anyway, but with harder-to-interpret messages.
Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane)
Some functions incorrectly assumed that memory returned by palloc() is guaranteed zeroed.
Remove contrib/sepgsql tests from the regular regression test mechanism (Tom Lane)
Since these tests require root privileges for setup, they're impractical to run automatically. Switch over to a manual approach instead, and provide a testing script to help with that.
Fix assorted errors in contrib/unaccent's configuration file parsing (Tom Lane)
Honor query cancel interrupts promptly in pgstatindex() (Robert Haas)
Fix incorrect quoting of log file name in Mac OS X start script (Sidar Lopez)
Revert unintentional enabling of WAL_DEBUG (Robert Haas)
Fortunately, as debugging tools go, this one is pretty cheap; but it's not intended to be enabled by default, so revert.
Ensure VPATH builds properly install all server header files (Peter Eisentraut)
Shorten file names reported in verbose error messages (Peter Eisentraut)
Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
Fix interpretation of Windows timezone names for Central America (Tom Lane)
Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America.
Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.

New in PostgreSQL 9.1.1 (Sep 26, 2011)

New in PostgreSQL 9.1.0 (Sep 12, 2011)

New in PostgreSQL 9.1 Alpha 5 (Mar 30, 2011)

New in PostgreSQL 9.0.3 (Feb 1, 2011)

Before exiting walreceiver, ensure all the received WAL is fsync'd to disk (Heikki Linnakangas)  Otherwise the standby server could replay some un-synced WAL, conceivably leading to data corruption if the system crashes just at that point.
Avoid excess fsync activity in walreceiver (Heikki Linnakangas)
Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed (Noah Misch)  This was broken in 9.0 by a change that was intended to suppress revalidation during VACUUM FULL and CLUSTER, but unintentionally affected ALTER TABLE as well.
Fix EvalPlanQual for UPDATE of an inheritance tree in which the tables are not all alike (Tom Lane)  Any variation in the table row types (including dropped columns present in only some child tables) would confuse the EvalPlanQual code, leading to misbehavior or even crashes. Since EvalPlanQual is only executed during concurrent updates to the same row, the problem was only seen intermittently.
Avoid failures when EXPLAIN tries to display a simple-form CASE expression (Tom Lane)  If the CASE's test expression was a constant, the planner could simplify the CASE into a form that confused the expression-display code, resulting in "unexpected CASE WHEN clause" errors.
Fix assignment to an array slice that is before the existing range of subscripts (Tom Lane)  If there was a gap between the newly added subscripts and the first pre-existing subscript, the code miscalculated how many entries needed to be copied from the old array's null bitmap, potentially leading to data corruption or crash.
Avoid unexpected conversion overflow in planner for very distant date values (Tom Lane)  The date type supports a wider range of dates than can be represented by the timestamp types, but the planner assumed it could always convert a date to timestamp with impunity.
Fix PL/Python crash when an array contains null entries (Alex Hunsaker)
Remove ecpg's fixed length limit for constants defining an array dimension (Michael Meskes)
Fix erroneous parsing of tsquery values containing ... & !(subexpression) | ... (Tom Lane)  Queries containing this combination of operators were not executed correctly. The same error existed in contrib/intarray's query_int type and contrib/ltree's ltxtquery type.
Fix buffer overrun in contrib/intarray's input function for the query_int type (Apple)  This bug is a security risk since the function's return address could be overwritten. Thanks to Apple Inc's security team for reporting this issue and supplying the fix. (CVE-2010-4015)
Fix bug in contrib/seg's GiST picksplit algorithm (Alexander Korotkov)  This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a seg column. If you have such an index, consider REINDEXing it after installing this update. (This is identical to the bug that was fixed in contrib/cube in the previous update.)

New in PostgreSQL 9.0.2 (Dec 16, 2010)

Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)  The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
Fix "too many KnownAssignedXids" error during Hot Standby replay (Heikki Linnakangas)
Fix race condition in lock acquisition during Hot Standby (Simon Riggs)
Avoid unnecessary conflicts during Hot Standby (Simon Riggs)  This fixes some cases where replay was considered to conflict with standby queries (causing delay of replay or possibly cancellation of the queries), but there was no real conflict.
Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)  This could result in "bad buffer id: 0" failures or corruption of index contents during replication.
Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
Fix corner-case bug when streaming replication is enabled immediately after creating the master database cluster (Heikki Linnakangas)
Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane)  The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly.
Fix long-term memory leak in autovacuum launcher (Alvaro Herrera)
Avoid failure when trying to report an impending transaction wraparound condition from outside a transaction (Tom Lane)  This oversight prevented recovery after transaction wraparound got too close, because database startup processing would fail.
Add support for detecting register-stack overrun on IA64 (Tom Lane)  The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
Add a check for stack overflow in copyObject() (Tom Lane)  Certain code paths could crash due to stack overflow given a sufficiently complex query.
Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)  It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
Fix error checking during early connection processing (Tom Lane)  The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays.
Improve efficiency of window functions (Tom Lane)  Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem.
Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)  An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
Add missing support in DROP OWNED BY for removing foreign data wrapper/server privileges belonging to a user (Heikki Linnakangas)
Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)  This avoids a possible crash due to loss of information about the expected result rowtype.
Fix crash when inline-ing a set-returning function whose argument list contains a reference to an inline-able user function (Tom Lane)
Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane)
Make the OFF keyword unreserved (Heikki Linnakangas)  This prevents problems with using off as a variable name in PL/pgSQL. That worked before 9.0, but was now broken because PL/pgSQL now treats all core reserved words as reserved.
Fix constant-folding of COALESCE() expressions (Tom Lane)  The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
Fix "could not find pathkey item to sort" planner failure with comparison of whole-row Vars (Tom Lane)
Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov)
Retry after receiving an invalid response packet from a RADIUS authentication server (Magnus Hagander)  This fixes a low-risk potential denial of service condition.
Fix missed unlink of temporary files when log_temp_files is active (Tom Lane)  If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files.
Add print functionality for InhRelation nodes (Tom Lane)  This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)  This bug affected several different geometric distance-measurement operators.
Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro)
Fix errors in psql's Unicode-escape support (Tom Lane)
Speed up parallel pg_restore when the archive contains many large objects (blobs) (Tom Lane)
Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
Fix PL/pgSQL's error reporting for no-such-column cases (Tom Lane)  As of 9.0, it would sometimes report "missing FROM-clause entry for table foo" when "record foo has no field bar" would be more appropriate.
Fix PL/Python to honor typmod (i.e., length or precision restrictions) when assigning to tuple fields (Tom Lane)  This fixes a regression from 8.4.
Fix PL/Python's handling of set-returning functions (Jan Urbanski)  Attempts to call SPI functions within the iterator generating a set result would fail.
Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)  This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
Fix buffer overrun in contrib/pg_upgrade (Hernan Gonzalez)
Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.

New in PostgreSQL 9.0.1 (Oct 6, 2010)

Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl (Tom Lane)  This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.  The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.  It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.  Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433).
Improve pg_get_expr() security fix so that the function can still be used on the output of a sub-select (Tom Lane)
Fix incorrect placement of placeholder evaluation (Tom Lane)  This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list.
Fix join removal's handling of placeholder expressions (Tom Lane)
Fix possible duplicate scans of UNION ALL member relations (Tom Lane)
Prevent infinite loop in ProcessIncomingNotify() after unlistening (Jeff Davis)
Prevent show_session_authorization() from crashing within autovacuum processes (Tom Lane)
Re-allow input of Julian dates prior to 0001-01-01 AD (Tom Lane)  Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking.
Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode (Itagaki Takahiro)
Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git (Magnus Hagander and others)

New in PostgreSQL 9.0.0 (Sep 20, 2010)

Built-in replication based on log shipping. This advance consists of two features: Streaming Replication, allowing continuous archive (WAL) files to be streamed over a network connection to a standby server, and Hot Standby, allowing continuous archive standby servers to execute read-only queries. The net effect is to support a single master with multiple read-only slave servers.
Easier database object permissions management. GRANT/REVOKE IN SCHEMA supports mass permissions changes on existing objects, while ALTER DEFAULT PRIVILEGES allows control of privileges for objects created in the future. Large objects (BLOBs) now support permissions management as well.
Broadly enhanced stored procedure support. The DO statement supports ad-hoc or "anonymous" code blocks. Functions can now be called using named parameters. PL/pgSQL is now installed by default, and PL/Perl and PL/Python have been enhanced in several ways, including support for Python3.
Full support for 64-bit Windows.
More advanced reporting queries, including additional windowing options (PRECEDING and FOLLOWING) and the ability to control the order in which values are fed to aggregate functions.
New trigger features, including SQL-standard-compliant per-column triggers and conditional trigger execution.
Deferrable unique constraints. Mass updates to unique keys are now possible without trickery.
Exclusion constraints. These provide a generalized version of unique constraints, allowing enforcement of complex conditions.
New and enhanced security features, including RADIUS authentication, LDAP authentication improvements, and a new contrib module passwordcheck for testing password strength.
New high-performance implementation of the LISTEN/NOTIFY feature. Pending events are now stored in a memory-based queue rather than a table. Also, a "payload" string can be sent with each event, rather than transmitting just an event name as before.
New implementation of VACUUM FULL. This command now rewrites the entire table and indexes, rather than moving individual rows to compact space. It is substantially faster in most cases, and no longer results in index bloat.
New contrib module pg_upgrade to support in-place upgrades from 8.3 or 8.4 to 9.0.
Multiple performance enhancements for specific types of queries, including elimination of unnecessary joins. This helps optimize some automatically-generated queries, such as those produced by object-relational mappers (ORMs).
EXPLAIN enhancements. The output is now available in JSON, XML, or YAML format, and includes buffer utilization and other data not previously available.
hstore improvements, including new functions and greater data capacity.

New in PostgreSQL 9.0.0 Beta 3 (Jul 22, 2010)

New in PostgreSQL 8.4.4 (May 18, 2010)

Enforce restrictions in plperl using an opmask applied to the whole interpreter, instead of using Safe.pm (Tim Bunce, Andrew Dunstan)  Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. This change removes use of Safe.pm altogether, in favor of using a separate interpreter with an opcode mask that is always applied. Pleasant side effects of the change include that it is now possible to use Perl's strict pragma in a natural way in plperl, and that Perl's $a and $b variables work as expected in sort routines, and that function compilation is significantly faster. (CVE-2010-1169)
Prevent PL/Tcl from executing untrustworthy code from pltcl_modules (Tom)  PL/Tcl's feature for autoloading Tcl code from a database table could be exploited for trojan-horse attacks, because there was no restriction on who could create or insert into that table. This change disables the feature unless pltcl_modules is owned by a superuser. (However, the permissions on the table are not checked, so installations that really need a less-than-secure modules table can still grant suitable privileges to trusted non-superusers.) Also, prevent loading code into the unrestricted "normal" Tcl interpreter unless we are really going to execute a pltclu function. (CVE-2010-1170)
Fix data corruption during WAL replay of ALTER ... SET TABLESPACE (Tom)  When archive_mode is on, ALTER ... SET TABLESPACE generates a WAL record whose replay logic was incorrect. It could write the data to the wrong place, leading to possibly-unrecoverable data corruption. Data corruption would be observed on standby slaves, and could occur on the master as well if a database crash and recovery occurred after committing the ALTER and before the next checkpoint.
Fix possible crash if a cache reset message is received during rebuild of a relcache entry (Heikki)  This error was introduced in 8.4.3 while fixing a related failure.
Apply per-function GUC settings while running the language validator for the function (Itagaki Takahiro)  This avoids failures if the function's code is invalid without the setting; an example is that SQL functions may not parse if the search_path is not correct.
Do constraint exclusion for inherited UPDATE and DELETE target tables when constraint_exclusion = partition (Tom)  Due to an oversight, this setting previously only caused constraint exclusion to be checked in SELECT commands.
Do not allow an unprivileged user to reset superuser-only parameter settings (Alvaro)  Previously, if an unprivileged user ran ALTER USER ... RESET ALL for himself, or ALTER DATABASE ... RESET ALL for a database he owns, this would remove all special parameter settings for the user or database, even ones that are only supposed to be changeable by a superuser. Now, the ALTER will only remove the parameters that the user has permission to change.
Avoid possible crash during backend shutdown if shutdown occurs when a CONTEXT addition would be made to log entries (Tom)  In some cases the context-printing function would fail because the current transaction had already been rolled back when it came time to print a log message.
Fix erroneous handling of %r parameter in recovery_end_command (Heikki)  The value always came out zero.
Ensure the archiver process responds to changes in archive_command as soon as possible (Tom)
Fix pl/pgsql's CASE statement to not fail when the case expression is a query that returns no rows (Tom)
Update pl/perl's ppport.h for modern Perl versions (Andrew)
Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
Handle empty-string connect parameters properly in ecpg (Michael)
Prevent infinite recursion in psql when expanding a variable that refers to itself (Tom)
Fix psql's \copy to not add spaces around a dot within \copy (select ...) (Tom)  Addition of spaces around the decimal point in a numeric literal would result in a syntax error.
Avoid formatting failure in psql when running in a locale context that doesn't match the client_encoding (Tom)
Fix unnecessary "GIN indexes do not support whole-index scans" errors for unsatisfiable queries using contrib/intarray operators (Tom)
Ensure that contrib/pgstattuple functions respond to cancel interrupts promptly (Tatsuhito Kasahara)
Make server startup deal properly with the case that shmget() returns EINVAL for an existing shared memory segment (Tom)  This behavior has been observed on BSD-derived kernels including OS X. It resulted in an entirely-misleading startup failure complaining that the shared memory request size was too large.
Avoid possible crashes in syslogger process on Windows (Heikki)
Deal more robustly with incomplete time zone information in the Windows registry (Magnus)
Update the set of known Windows time zone names (Magnus)
Update time zone data files to tzdata release 2010j for DST law changes in Argentina, Australian Antarctic, Bangladesh, Mexico, Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also historical corrections for Taiwan.  Also, add PKST (Pakistan Summer Time) to the default set of timezone abbreviations.

New in PostgreSQL 8.4.3 (Mar 29, 2010)

Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches for CVE-2009-3555 that cause renegotiation attempts to fail.
Fix possible deadlock during backend startup (Tom)
Fix possible crashes due to not handling errors during relcache reload cleanly (Tom)
Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo)
Fix possible crash due to overenthusiastic invalidation of cached plan for ROLLBACK (Tom)
Fix possible crashes when trying to recover from a failure in subtransaction start (Tom)
Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom)
Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai)
This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion.
Fix bug in WAL redo cleanup method for GIN indexes (Heikki)
Fix incorrect comparison of scan key in GIN index search (Teodor)
Make substring() for bit types treat any negative length as meaning "all the rest of the string" (Tom)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash (CVE-2010-0442).
Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom)
Fix some cases of pathologically slow regular expression matching (Tom)
Fix bug occurring when trying to inline a SQL function that returns a set of a composite type that contains dropped columns (Tom)
Fix bug with trying to update a field of an element of a composite-type array column (Tom)
Avoid failure when EXPLAIN has to print a FieldStore or assignment ArrayRef expression (Tom)
These cases can arise now that EXPLAIN VERBOSE tries to print plan node target lists.
Avoid an unnecessary coercion failure in some cases where an undecorated literal string appears in a subquery within UNION/INTERSECT/EXCEPT (Tom)
This fixes a regression for some cases that worked before 8.4.
Avoid undesirable rowtype compatibility check failures in some cases where a whole-row Var has a rowtype that contains dropped columns (Tom)
Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
Always pass the catalog ID to an option validator function specified in CREATE FOREIGN DATA WRAPPER (Martin Pihlak)
Fix some more cases of temporary-file leakage (Heikki)
This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler.
Add support for doing FULL JOIN ON FALSE (Tom)
This prevents a regression from pre-8.4 releases for some queries that can now be simplified to a constant-false join condition.
Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom)
Prevent treating an INOUT cast as representing binary compatibility (Heikki)
Include column name in the message when warning about inability to grant or revoke column-level privileges (Stephen Frost)
This is more useful than before and helps to prevent confusion when a REVOKE generates multiple messages, which formerly appeared to be duplicates.
When reading pg_hba.conf and related files, do not treat something as a file inclusion request if the appears inside quote marks; also, never treat by itself as a file inclusion request (Tom)
This prevents erratic behavior if a role or database name starts with . If you need to include a file whose path name contains spaces, you can still do so, but you must write "/path to/file" rather than putting the quotes around the whole construct.
Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom)
Fix possible infinite loop if SSL_read or SSL_write fails without setting errno (Tom)
This is reportedly possible with some Windows versions of openssl.
Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus)
Protect ecpg against applications freeing strings unexpectedly (Michael)
Make ecpg report the proper SQLSTATE if the connection disappears (Michael)
Fix translation of cell contents in psql \d output (Heikki)
Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki)
Fix a small per-query memory leak in psql (Tom)
Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce)
Fix pg_dump's output of permissions for foreign servers (Heikki)
Fix possible crash in parallel pg_restore due to out-of-range dependency IDs (Tom)
Fix plpgsql failure in one case where a composite column is set to NULL (Tom)
Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce)
Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
Ensure PL/Tcl initializes the Tcl interpreter fully (Tom)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
Prevent ExecutorEnd from being run on portals created within a failed transaction or subtransaction (Tom)
This is known to cause issues when using contrib/auto_explain.
Prevent crash in contrib/dblink when too many key columns are specified to a dblink_build_sql_* function (Rushabh Lathia, Joe Conway)
Allow zero-dimensional arrays in contrib/ltree operations (Tom)
This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY(SELECT ...) and the sub-select returns no rows.
Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom)
Make building of contrib/xml2 more robust on Windows (Andrew)
Fix race condition in Windows signal handling (Radu Ilie)
One known symptom of this bug is that rows in pg_listener could be dropped under heavy load.
Make the configure script report failure if the C compiler does not provide a working 64-bit integer datatype (Tom)
This case has been broken for some time, and no longer seems worth supporting, so just reject it at configure time instead.
Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.

New in PostgreSQL 8.4.2 (Dec 14, 2009)

A dump/restore is not required for those running 8.4.X. However, if you have any hash indexes, you should REINDEX them after updating to 8.4.2, to repair possible damage.
Protect against indirect security threats caused by index functions changing session-local state (Gurjeet Singh, Tom)
This change prevents allegedly-immutable index functions from possibly subverting a superuser's session (CVE-2009-4136).
Reject SSL certificates containing an embedded null byte in the common name (CN) field (Magnus)
This prevents unintended matching of a certificate to a server or client name during SSL validation (CVE-2009-4034).
Fix hash index corruption (Tom) - The 8.4 change that made hash indexes keep entries sorted by hash value failed to update the bucket splitting and compaction routines to preserve the ordering. So application of either of those operations could lead to permanent corruption of an index, in the sense that searches might fail to find entries that are present. To deal with this, it is recommended to REINDEX any hash indexes you may have after installing this update.
Fix possible crash during backend-startup-time cache initialization (Tom)
Avoid crash on empty thesaurus dictionary (Tom)
Prevent signals from interrupting VACUUM at unsafe times (Alvaro)
This fix prevents a PANIC if a VACUUM FULL is cancelled after it's already committed its tuple movements, as well as transient errors if a plain VACUUM is interrupted after having truncated the table.
Fix possible crash due to integer overflow in hash table size calculation (Tom)
This could occur with extremely large planner estimates for the size of a hashjoin's result.
Fix crash if a DROP is attempted on an internally-dependent object (Tom)
Fix very rare crash in inet/cidr comparisons (Chris Mikkelson)
Ensure that shared tuple-level locks held by prepared transactions are not ignored (Heikki)
Fix premature drop of temporary files used for a cursor that is accessed within a subtransaction (Heikki)
Fix memory leak in syslogger process when rotating to a new CSV logfile (Tom)
Fix memory leak in postmaster when re-parsing pg_hba.conf (Tom)
Fix Windows permission-downgrade logic (Jesse Morris)
his fixes some cases where the database failed to start on Windows, often with misleading error messages such as "could not locate matching postgres executable".
Make FOR UPDATE/SHARE in the primary query not propagate into WITH queries (Tom)
For example, in WITH w AS (SELECT * FROM foo) SELECT * FROM w, bar ... FOR UPDATE the FOR UPDATE will now affect bar but not foo. This is more useful and consistent than the original 8.4 behavior, which tried to propagate FOR UPDATE into the WITH query but always failed due to assorted implementation restrictions. It also follows the design rule that WITH queries are executed as if independent of the main query.
Fix bug with a WITH RECURSIVE query immediately inside another one (Tom)
Fix concurrency bug in hash indexes (Tom)
Concurrent insertions could cause index scans to transiently report wrong results.
Fix incorrect logic for GiST index page splits, when the split depends on a non-first column of the index (Paul Ramsey)
Fix wrong search results for a multi-column GIN index with fastupdate enabled (Teodor)
Fix bugs in WAL entry creation for GIN indexes (Tom)
These bugs were masked when full_page_writes was on, but with it off a WAL replay failure was certain if a crash occurred before the next checkpoint.
Don't error out if recycling or removing an old WAL file fails at the end of checkpoint (Heikki)
It's better to treat the problem as non-fatal and allow the checkpoint to complete. Future checkpoints will retry the removal. Such problems are not expected in normal operation, but have been seen to be caused by misdesigned Windows anti-virus and backup software.
Ensure WAL files aren't repeatedly archived on Windows (Heikki)
This is another symptom that could happen if some other process interfered with deletion of a no-longer-needed file.
Fix PAM password processing to be more robust (Tom)
The previous code is known to fail with the combination of the Linux pam_krb5 PAM module with Microsoft Active Directory as the domain controller. It might have problems elsewhere too, since it was making unjustified assumptions about what arguments the PAM stack would pass to it.
Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI authentication methods (Ian Turner)
While the old 2000-byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger.
Ensure that domain constraints are enforced in constructs like ARRAY[...]::domain, where the domain is over an array type (Heikki)
Fix foreign-key logic for some cases involving composite-type columns as foreign keys (Tom)
Ensure that a cursor's snapshot is not modified after it is created (Alvaro)
This could lead to a cursor delivering wrong results if later operations in the same transaction modify the data the cursor is supposed to return.
Fix CREATE TABLE to properly merge default expressions coming from different inheritance parent tables (Tom)
This used to work but was broken in 8.4.
Re-enable collection of access statistics for sequences (Akira Kurosawa)
This used to work but was broken in 8.3.
Fix processing of ownership dependencies during CREATE OR REPLACE FUNCTION (Tom)
Fix incorrect handling of WHERE x=x conditions (Tom)
In some cases these could get ignored as redundant, but they aren't — they're equivalent to x IS NOT NULL.
Fix incorrect plan construction when using hash aggregation to implement DISTINCT for textually identical volatile expressions (Tom)
Fix Assert failure for a volatile SELECT DISTINCT ON expression (Tom)
Fix ts_stat() to not fail on an empty tsvector value (Tom)
Make text search parser accept underscores in XML attributes (Peter)
Fix encoding handling in xml binary input (Heikki)
If the XML header doesn't specify an encoding, we now assume UTF-8 by default; the previous handling was inconsistent.
Fix bug with calling plperl from plperlu or vice versa (Tom)
An error exit from the inner function could result in crashes due to failure to re-select the correct Perl interpreter for the outer function.
Fix session-lifespan memory leak when a PL/Perl function is redefined (Tom)
Ensure that Perl arrays are properly converted to PostgreSQL arrays when returned by a set-returning PL/Perl function (Andrew Dunstan, Abhijit Menon-Sen)
This worked correctly already for non-set-returning functions.
Fix rare crash in exception processing in PL/Python (Peter)
Fix ecpg problem with comments in DECLARE CURSOR statements (Michael)
Fix ecpg to not treat recently-added keywords as reserved words (Tom)
This affected the keywords CALLED, CATALOG, DEFINER, ENUM, FOLLOWING, INVOKER, OPTIONS, PARTITION, PRECEDING, RANGE, SECURITY, SERVER, UNBOUNDED, and WRAPPER.
Re-allow regular expression special characters in psql's df function name parameter (Tom)
In contrib/pg_standby, disable triggering failover with a signal on Windows (Fujii Masao)
This never did anything useful, because Windows doesn't have Unix-style signals, but recent changes made it actually crash.
Put FREEZE and VERBOSE options in the right order in the VACUUM command that contrib/vacuumdb produces (Heikki)
Fix possible leak of connections when contrib/dblink encounters an error (Tatsuhito Kasahara)
Ensure psql's flex module is compiled with the correct system header definitions (Tom)
This fixes build failures on platforms where --enable-largefile causes incompatible changes in the generated code.
Make the postmaster ignore any application_name parameter in connection request packets, to improve compatibility with future libpq versions (Tom)
Update the timezone abbreviation files to match current reality (Joachim Wieland)
This includes adding IDT to the default timezone abbreviation set.
Update time zone data files to tzdata release 2009s for DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria; also historical corrections for Hong Kong.

New in PostgreSQL 8.4.1 (Sep 9, 2009)

Fix WAL page header initialization at the end of archive recovery (Heikki)  This could lead to failure to process the WAL in a subsequent archive recovery.
Fix "cannot make new WAL entries during recovery" error (Tom)
Fix problem that could make expired rows visible after a crash (Tom)  This bug involved a page status bit potentially not being set correctly after a server crash.
Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions (Tom, Heikki)  This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. (See CVE-2007-6600)
Make LOAD of an already-loaded loadable module into a no-op (Tom)  Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful.
Make window function PARTITION BY and ORDER BY items always be interpreted as simple expressions (Tom)  In 8.4.0 these lists were parsed following the rules used for top-level GROUP BY and ORDER BY lists. But this was not correct per the SQL standard, and it led to possible circularity.
Fix several errors in planning of semi-joins (Tom)  These led to wrong query results in some cases where IN or EXISTS was used together with another join.
Fix handling of whole-row references to subqueries that are within an outer join (Tom)  An example is SELECT COUNT(ss.*) FROM ... LEFT JOIN (SELECT ...) ss ON .... Here, ss.* would be treated as ROW(NULL,NULL,...) for null-extended join rows, which is not the same as a simple NULL. Now it is treated as a simple NULL.
Fix Windows shared-memory allocation code (Tsutomu Yamada, Magnus)  This bug led to the often-reported "could not reattach to shared memory" error message.
Fix locale handling with plperl (Heikki)  This bug could cause the server's locale setting to change when a plperl function is called, leading to data corruption.
Fix handling of reloptions to ensure setting one option doesn't force default values for others (Itagaki Takahiro)
Ensure that a "fast shutdown" request will forcibly terminate open sessions, even if a "smart shutdown" was already in progress (Fujii Masao)
Avoid memory leak for array_agg() in GROUP BY queries (Tom)
Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12' (Heikki)  It was previously handled as 'th' (lowercase).
Include the fractional part in the result of EXTRACT(second) and EXTRACT(milliseconds) for time and time with time zone inputs (Tom)  This has always worked for floating-point datetime configurations, but was broken in the integer datetime code.
Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use (Alex Hunsaker)
Improve performance when processing toasted values in index scans (Tom)  This is particularly useful for PostGIS.
Fix a typo that disabled commit_delay (Jeff Janes)
Output early-startup messages to postmaster.log if the server is started in silent mode (Tom)  Previously such error messages were discarded, leading to difficulty in debugging.
Remove translated FAQs (Peter)  They are now on the wiki. The main FAQ was moved to the wiki some time ago.
Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty (Jeff Davis)
Fix several errors in pg_dump's --binary-upgrade mode (Bruce, Tom)  pg_dump --binary-upgrade is used by pg_migrator.
Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty) (Tom)
Improve robustness of libpq's code to recover from errors during COPY FROM STDIN (Tom)
Avoid including conflicting readline and editline header files when both libraries are installed (Zdenek Kotala)
Work around gcc bug that causes "floating-point exception" instead of "division by zero" on some platforms (Tom)
Update time zone data files to tzdata release 2009l for DST law changes in Bangladesh, Egypt, Mauritius.

New in PostgreSQL 8.4.0 (Jul 23, 2009)

New in PostgreSQL 8.3.7 (Mar 18, 2009)

New in PostgreSQL 8.3.6 (Feb 7, 2009)

Make DISCARD ALL release advisory locks, in addition to everything it already did (Tom)
This was decided to be the most appropriate behavior. This could affect existing applications, however.
Fix whole-index GiST scans to work correctly (Teodor)
This error could cause rows to be lost if a table is clustered on a GiST index.
Fix crash of xmlconcat(NULL) (Peter)
Fix possible crash in ispell dictionary if high-bit-set characters are used as flags (Teodor)
This is known to be done by one widely available Norwegian dictionary, and the same condition may exist in others.
Fix misordering of pg_dump output for composite types (Tom)
The most likely problem was for user-defined operator classes to be dumped after indexes or views that needed them.
Improve handling of URLs in headline() function (Teodor)
Improve handling of overlength headlines in headline() function (Teodor)
Prevent possible Assert failure or misconversion if an encoding conversion is created with the wrong conversion function for the specified pair of encodings (Tom, Heikki)
Fix possible Assert failure if a statement executed in PL/pgSQL is rewritten into another kind of statement, for example if an INSERT is rewritten into an UPDATE (Heikki)
Ensure that a snapshot is available to datatype input functions (Tom)
This primarily affects domains that are declared with CHECK constraints involving user-defined stable or immutable functions. Such functions typically fail if no snapshot has been set.
Make it safer for SPI-using functions to be used within datatype I/O; in particular, to be used in domain check constraints (Tom)
Avoid unnecessary locking of small tables in VACUUM (Heikki)
Fix a problem that sometimes kept ALTER TABLE ENABLE/DISABLE RULE from being recognized by active sessions (Tom)
Fix a problem that made UPDATE RETURNING tableoid return zero instead of the correct OID (Tom)
Allow functions declared as taking ANYARRAY to work on the pg_statistic columns of that type (Tom)
This used to work, but was unintentionally broken in 8.3.
Fix planner misestimation of selectivity when transitive equality is applied to an outer-join clause (Tom)
This could result in bad plans for queries like ... from a left join b on a.a1 = b.b1 where a.a1 = 42 ...
Improve optimizer's handling of long IN lists (Tom)
This change avoids wasting large amounts of time on such lists when constraint exclusion is enabled.
Prevent synchronous scan during GIN index build (Tom)
Because GIN is optimized for inserting tuples in increasing TID order, choosing to use a synchronous scan could slow the build by a factor of three or more.
Ensure that the contents of a holdable cursor don't depend on the contents of TOAST tables (Tom)
Previously, large field values in a cursor result might be represented as TOAST pointers, which would fail if the referenced table got dropped before the cursor is read, or if the large value is deleted and then vacuumed away. This cannot happen with an ordinary cursor, but it could with a cursor that is held past its creating transaction.
Fix memory leak when a set-returning function is terminated without reading its whole result (Tom)
Fix encoding conversion problems in XML functions when the database encoding isn't UTF-8 (Tom)
Fix contrib/dblink's dblink_get_result(text,bool) function (Joe)
Fix possible garbage output from contrib/sslinfo functions (Tom)
Fix incorrect behavior of contrib/tsearch2 compatibility trigger when it's fired more than once in a command (Teodor)
Fix possible mis-signaling in autovacuum (Heikki)
Support running as a service on Windows 7 beta (Dave and Magnus)
Fix ecpg's handling of varchar structs (Michael)
Fix configure script to properly report failure when unable to obtain linkage information for PL/Perl (Andrew)
Make all documentation reference pgsql-bugs and/or pgsql-hackers as appropriate, instead of the now-decommissioned pgsql-ports and pgsql-patches mailing lists (Tom)
Update time zone data files to tzdata release 2009a (for Kathmandu and historical DST corrections in Switzerland, Cuba)

New in PostgreSQL 8.3.5 (Nov 14, 2008)

Migration to Version 8.3.5:
A dump/restore is not required for those running 8.3.X. However, if you are upgrading from a version earlier than 8.3.1, see the release notes for 8.3.1.
Changes:
Fix GiST index corruption due to marking the wrong index entry "dead" after a deletion.
This would result in index searches failing to find rows they should have found.
Fix backend crash when the client encoding cannot represent a localized error message.
We have addressed similar issues before, but it would still fail if the "character has no equivalent" message itself couldn't be converted. The fix is to disable localization and send the plain ASCII error message when we detect such a situation.
Fix possible crash in bytea-to-XML mapping.
Fix possible crash when deeply nested functions are invoked from a trigger.
Improve optimization of expression IN (expression-list) queries.
Cases in which there are query variables on the right-hand side had been handled less efficiently in 8.2.x and 8.3.x than in prior versions. The fix restores 8.1 behavior for such cases.
Fix mis-expansion of rule queries when a sub-SELECT appears in a function call in FROM, a multi-row VALUES list, or a RETURNING list.
The usual symptom of this problem is an "unrecognized node type" error.
Fix Assert failure during rescan of an IS NULL search of a GiST index.
Fix memory leak during rescan of a hashed aggregation plan.
Ensure an error is reported when a newly-defined PL/pgSQL trigger function is invoked as a normal function.
Force a checkpoint before CREATE DATABASE starts to copy files.
This prevents a possible failure if files had recently been deleted in the source database.
Prevent possible collision of relfilenode numbers when moving a table to another tablespace with ALTER SET TABLESPACE.
The command tried to re-use the existing filename, instead of picking one that is known unused in the destination directory.
Fix incorrect text search headline generation when single query item matches first word of text.
Fix improper display of fractional seconds in interval values when using a non-ISO datestyle in an --enable-integer-datetimes build.
Make ILIKE compare characters case-insensitively even when they're escaped.
Ensure DISCARD is handled properly by statement logging.
Fix incorrect logging of last-completed-transaction time during PITR recovery.
Ensure SPI_getvalue and SPI_getbinval behave correctly when the passed tuple and tuple descriptor have different numbers of columns.
This situation is normal when a table has had columns added or removed, but these two functions didn't handle it properly. The only likely consequence is an incorrect error indication.
Mark SessionReplicationRole as PGDLLIMPORT so it can be used by Slony on Windows.
Fix small memory leak when using libpq's gsslib parameter.
The space used by the parameter string was not freed at connection close.
Ensure libgssapi is linked into libpq if needed.
Fix ecpg's parsing of CREATE ROLE.
Fix recent breakage of pg_ctl restart.
Ensure pg_control is opened in binary mode.
pg_controldata and pg_resetxlog did this incorrectly, and so could fail on Windows.
Update time zone data files to tzdata release 2008i (for DST law changes in Argentina, Brazil, Mauritius, Syria).

New in PostgreSQL 8.3.4.1 (Oct 24, 2008)

Fix bug in btree WAL recovery code (Heikki)
Recovery failed if the WAL ended partway through a page split operation.
Fix potential use of wrong cutoff XID for HOT page pruning (Alvaro)
This error created a risk of corruption in system catalogs that are consulted by VACUUM: dead tuple versions might be removed too soon. The impact of this on actual database operations would be minimal, since the system doesn't follow MVCC rules while examining catalogs, but it might result in transiently wrong output from pg_dump or other client programs.
Fix potential miscalculation of datfrozenxid (Alvaro)
This error may explain some recent reports of failure to remove old pg_clog data.
Fix incorrect HOT updates after pg_class is reindexed (Tom)
Corruption of pg_class could occur if REINDEX TABLE pg_class was followed in the same session by an ALTER TABLE RENAME or ALTER TABLE SET SCHEMA command.
Fix missed "combo cid" case (Karl Schnaitter)
This error made rows incorrectly invisible to a transaction in which they had been deleted by multiple subtransactions that all aborted.
Prevent autovacuum from crashing if the table it's currently checking is deleted at just the wrong time (Alvaro)
Widen local lock counters from 32 to 64 bits (Tom)
This responds to reports that the counters could overflow in sufficiently long transactions, leading to unexpected "lock is already held" errors.
Fix possible duplicate output of tuples during a GiST index scan (Teodor)
Regenerate foreign key checking queries from scratch when either table is modified (Tom)
Previously, 8.3 would attempt to replan the query, but would work from previously generated query text. This led to failures if a table or column was renamed.
Fix missed permissions checks when a view contains a simple UNION ALL construct (Heikki)
Permissions for the referenced tables were checked properly, but not permissions for the view itself.
Add checks in executor startup to ensure that the tuples produced by an INSERT or UPDATE will match the target table's current rowtype (Tom)
This situation is believed to be impossible in 8.3, but it can happen in prior releases, so a check seems prudent.
Fix possible repeated drops during DROP OWNED (Tom)
This would typically result in strange errors such as "cache lookup failed for relation NNN".
Fix several memory leaks in XML operations (Kris Jurka, Tom)
Fix xmlserialize() to raise error properly for unacceptable target data type (Tom)
Fix a couple of places that mis-handled multibyte characters in text search configuration file parsing (Tom)
Certain characters occurring in configuration files would always cause "invalid byte sequence for encoding" failures.
Provide file name and line number location for all errors reported in text search configuration files (Tom)
Fix AT TIME ZONE to first try to interpret its timezone argument as a timezone abbreviation, and only try it as a full timezone name if that fails, rather than the other way around as formerly (Tom)
The timestamp input functions have always resolved ambiguous zone names in this order. Making AT TIME ZONE do so as well improves consistency, and fixes a compatibility bug introduced in 8.1: in ambiguous cases we now behave the same as 8.0 and before did, since in the older versions AT TIME ZONE accepted only abbreviations.
Fix datetime input functions to correctly detect integer overflow when running on a 64-bit platform (Tom)
Prevent integer overflows during units conversion when displaying a configuration parameter that has units (Tom)
Improve performance of writing very long log messages to syslog (Tom)
Allow spaces in the suffix part of an LDAP URL in pg_hba.conf (Tom)
Fix bug in backwards scanning of a cursor on a SELECT DISTINCT ON query (Tom)
Fix planner bug that could improperly push down IS NULL tests below an outer join (Tom)
This was triggered by occurrence of IS NULL tests for the same relation in all arms of an upper OR clause.
Fix planner bug with nested sub-select expressions (Tom)
If the outer sub-select has no direct dependency on the parent query, but the inner one does, the outer value might not get recalculated for new parent query rows.
Fix planner to estimate that GROUP BY expressions yielding boolean results always result in two groups, regardless of the expressions' contents (Tom)
This is very substantially more accurate than the regular GROUP BY estimate for certain boolean tests like col IS NULL.
Fix PL/PgSQL to not fail when a FOR loop's target variable is a record containing composite-type fields (Tom)
Fix PL/Tcl to behave correctly with Tcl 8.5, and to be more careful about the encoding of data sent to or from Tcl (Tom)
Improve performance of PQescapeBytea() (Rudolf Leitgeb)
On Windows, work around a Microsoft bug by preventing libpq from trying to send more than 64kB per system call (Magnus)
Fix ecpg to handle variables properly in SET commands (Michael)
Improve pg_dump and pg_restore's error reporting after failure to send a SQL command (Tom)
Fix pg_ctl to properly preserve postmaster command-line arguments across a restart (Bruce)
Fix erroneous WAL file cutoff point calculation in pg_standby (Simon)
Update time zone data files to tzdata release 2008f (for DST law changes in Argentina, Bahamas, Brazil, Mauritius, Morocco, Pakistan, Palestine, and Paraguay)

New in PostgreSQL 8.3.1 (Apr 3, 2008)

Repair corner-case bugs in VACUUM FULL. A potential deadlock between concurrent VACUUM FULL operations on different system catalogs was introduced in 8.2. This has now been corrected. 8.3 made this worse because the deadlock could occur within a critical code section, making it a PANIC rather than just ERROR condition. Also, a VACUUM FULL that failed partway through vacuuming a system catalog could result in cache corruption in concurrent database sessions. Another VACUUM FULL bug introduced in 8.3 could result in a crash or out-of-memory report when dealing with pages containing no live tuples.
Fix misbehavior of foreign key checks involving character or bit columns. If the referencing column were of a different but compatible type (for instance varchar), the constraint was enforced incorrectly.
Avoid needless deadlock failures in no-op foreign-key checks
Fix possible core dump when re-planning a prepared query. This bug affected only protocol-level prepare operations, not SQL PREPARE, and so tended to be seen only with JDBC, DBI, and other client-side drivers that use prepared statements heavily.
Fix possible failure when re-planning a query that calls an SPI-using function
Fix failure in row-wise comparisons involving columns of different datatypes
Fix longstanding LISTEN/NOTIFY race condition. In rare cases a session that had just executed a LISTEN might not get a notification, even though one would be expected because the concurrent transaction executing NOTIFY was observed to commit later. A side effect of the fix is that a transaction that has executed a not-yet-committed LISTEN command will not see any row in pg_listener for the LISTEN, should it choose to look; formerly it would have. This behavior was never documented one way or the other, but it is possible that some applications depend on the old behavior.
Disallow LISTEN and UNLISTEN within a prepared transaction. This was formerly allowed but trying to do it had various unpleasant consequences, notably that the originating backend could not exit as long as an UNLISTEN remained uncommitted.
Disallow dropping a temporary table within a prepared transaction. This was correctly disallowed by 8.1, but the check was inadvertently broken in 8.2 and 8.3.
Fix rare crash when an error occurs during a query using a hash index
Fix incorrect comparison of tsquery values
Fix incorrect behavior of LIKE with non-ASCII characters in single-byte encodings
Disable xmlvalidate. This function should have been removed before 8.3 release, but was inadvertently left in the source code. It poses a small security risk since unprivileged users could use it to read the first few characters of any file accessible to the server.
Fix memory leaks in certain usages of set-returning functions
Make encode(bytea, 'escape') convert all high-bit-set byte values into
nn octal escape sequences. This is necessary to avoid encoding problems when the database encoding is multi-byte. This change could pose compatibility issues for applications that are expecting specific results from encode.
Fix input of datetime values for February 29 in years BC. The former coding was mistaken about which years were leap years.
Fix "unrecognized node type" error in some variants of ALTER OWNER
Avoid tablespace permissions errors in CREATE TABLE LIKE INCLUDING INDEXES
Ensure pg_stat_activity.waiting flag is cleared when a lock wait is aborted
Fix handling of process permissions on Windows Vista. In particular, this fix allows starting the server as the Administrator user.
Update time zone data files to tzdata release 2008a (in particular, recent Chile changes); adjust timezone abbreviation VET (Venezuela) to mean UTC-4:30, not UTC-4:00
Fix ecpg problems with arrays
Fix pg_ctl to correctly extract the postmaster's port number from command-line options. Previously, pg_ctl start -w could try to contact the postmaster on the wrong port, leading to bogus reports of startup failure.
Use -fwrapv to defend against possible misoptimization in recent gcc versions. This is known to be necessary when building PostgreSQL with gcc 4.3 or later.
Enable building contrib/uuid-ossp with MSVC