Release date: 2021-08-12
This release contains a variety of fixes from 10.17. For information about new features in major release 10, see Section E.19.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.16, see Section E.3.
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE (Tom Lane)
This should be disallowed, just as
FOR UPDATE with a plain
GROUP BY is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in
WITH rewrites to just
NOTIFY (Tom Lane)
Such cases previously crashed.
numeric multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising
numeric values to very large powers (Dean Rasheed)
Fix division-by-zero failure in
EEEE format and a
numeric input value less than 10^(-1001) (Dean Rasheed)
pg_size_pretty(bigint) to round negative values consistently with the way it rounds positive ones (and consistently with the
numeric version) (Dean Rasheed, David Rowley)
pg_filenode_relation(0, 0) return NULL rather than failing (Justin Pryzby)
ALTER EXTENSION lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed
ALTER EXTENSION ADD/DROP to occur concurrently with
DROP EXTENSION, leading to a crash or corrupt catalog entries.
ALTER SUBSCRIPTION to reject an empty slot name (Japin Li)
Avoid alias conflicts in queries generated for
REFRESH MATERIALIZED VIEW CONCURRENTLY (Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably
PREPARE TRANSACTION to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during
Fix misbehavior of
DROP OWNED BY when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during
DROP OWNED BY (Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use
DROP OWNED BY.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when
CREATE DOMAIN or
ALTER DOMAIN appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in
pg_stat_activity (Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
pending_restart show as true when the pertinent entry in
postgresql.conf has been removed (Álvaro Herrera)
pending_restart correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Fix plan cache reference leaks in some error cases in
CREATE TABLE ... AS EXECUTE (Tom Lane)
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an
INTO clause specified
STRICT, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the
numeric value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's
oldestXID value (Bertrand Drouvot)
Previously, the new installation's
oldestXID was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of
autovacuum_freeze_max_age could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the
ALTER EXTENSION UPDATE commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
printf("%s", NULL) print
(null) instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our
printf implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a
ROLLBACK PREPARED record (Simon Riggs)
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate
libldap_r library (Adrian Ho, Tom Lane)
If there is no
libldap_r library, we now silently assume that
libldap is thread-safe.
Add new make targets
install-world-bin (Andrew Dunstan)
These are the same as
install-world respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (
prove_installcheck) to work in PGXS usage (Andrew Dunstan)
Allow PostgreSQL version 10 to build with ICU 69 and newer (Peter Eisentraut)
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include
--with-pgport in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.