Release date: 2015-02-05
This release contains a variety of fixes from 9.2.9. For information about new features in the 9.2 major release, see Section E.109.
A dump/restore is not required for those running 9.2.X.
However, if you are a Windows user and are using the “Norwegian (Bokmål)” locale, manual action is needed after the upgrade to replace any “Norwegian (Bokmål)_Norway” locale names stored in PostgreSQL system catalogs with the plain-ASCII alias “Norwegian_Norway”. For details see http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale
Also, if you are upgrading from a version earlier than 9.2.9, see Section E.100.
Fix buffer overruns in
to_char() (Bruce Momjian)
a numeric formatting template calling for a large number
of digits, PostgreSQL
would read past the end of a buffer. When processing a
crafted timestamp formatting template, PostgreSQL would write past the end
of a buffer. Either case could crash the server. We have
not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
Fix buffer overrun in replacement
*printf() functions (Tom Lane)
PostgreSQL includes a
replacement implementation of
printf and related functions. This code
will overrun a stack buffer when formatting a floating
point number (conversion specifiers
G) with requested precision
greater than about 500. This will crash the server, and
we have not ruled out the possibility of attacks that
lead to privilege escalation. A database user can trigger
such a buffer overrun through the
to_char() SQL function. While that is
the only affected core PostgreSQL functionality, extension
modules that use printf-family functions may be at risk
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)
Fix buffer overruns in
contrib/pgcrypto (Marko Tiikkaja, Noah
Errors in memory size tracking within the
pgcrypto module permitted stack buffer
overruns and improper dependence on the contents of
uninitialized memory. The buffer overrun cases can crash
the server, and we have not ruled out the possibility of
attacks that lead to privilege escalation.
Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)
Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns
that violate a constraint, such as a unique constraint.
If the user does not have
SELECT privilege on all columns of the
table, this could mean exposing values that the user
should not be able to see. Adjust the code so that values
are displayed only when they came from the SQL command or
could be selected by the user. (CVE-2014-8161)
Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)
Cope with the Windows locale named “Norwegian (Bokmål)” (Heikki Linnakangas)
Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, “Norwegian_Norway”.
Avoid possible data corruption if
ALTER DATABASE SET TABLESPACE is used to
move a database to a new tablespace and then shortly
later move it back to its original tablespace (Tom
Avoid corrupting tables when
ANALYZE inside a transaction is rolled
back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the
last index, rule, or trigger from the table, the table
would be left in a corrupted state with the relevant
pg_class flags not set
though they should be.
Ensure that unlogged tables are copied correctly
CREATE DATABASE or
ALTER DATABASE SET
TABLESPACE (Pavan Deolasee, Andres Freund)
searching to correctly handle the case where a table
column is recursively visited before its table (Petr
Jelinek, Tom Lane)
This case is only known to arise when an extension
creates both a datatype and a table using that datatype.
The faulty code might refuse a
CASCADE is specified, which should not
Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
READ COMMITTED mode,
queries that lock or update recently-updated rows could
crash as a result of this bug.
Fix planning of
UPDATE when using a partial index on a child table
READ COMMITTED mode,
SELECT FOR UPDATE must also
recheck the partial index's
WHERE condition when rechecking a
recently-updated row to see if it still satisfies the
This requirement was missed if the index belonged to an
inheritance child table, so that it was possible to
incorrectly return rows that no longer satisfy the query
Fix corner case wherein
FOR UPDATE could return a row twice, and possibly
miss returning other rows (Tom Lane)
READ COMMITTED mode, a
SELECT FOR UPDATE that is
scanning an inheritance tree could incorrectly return a
row from a prior child table instead of the one it should
return from a later child table.
Reject duplicate column names in the
referenced-columns list of a
FOREIGN KEY declaration (David
This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.
Restore previous behavior of conversion of domains to JSON (Tom Lane)
This change causes domains over numeric and boolean to be treated like their base types for purposes of conversion to JSON. It worked like that before 9.3.5 and 9.2.9, but was unintentionally changed while fixing a related problem.
Fix bugs in raising a
numeric value to a large integral power
The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.
truncate away any fractional digits that would be hidden
according to the value's
dscale field (Tom Lane)
numeric value's display
dscale) should never
be less than the number of nonzero fractional digits; but
apparently there's at least one broken client application
that transmits binary
values in which that's true. This leads to strange
behavior since the extra digits are taken into account by
arithmetic operations even though they aren't printed.
The least risky fix seems to be to truncate away such
“hidden” digits on receipt, so that
the value is indeed what it prints as.
Fix incorrect search for shortest-first regular expression matches (Tom Lane)
Matching would often fail when the number of allowed
iterations is limited by a
quantifier or a bound expression.
Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.
Fix bugs in
tsquery operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.
Improve ispell dictionary's defenses against bad affix files (Tom Lane)
Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.
Fix namespace handling in
xpath() (Ali Akbar)
resulting from an
call would not have namespace declarations if the
namespace declarations were attached to an ancestor
element in the input
rather than to the specific element being returned.
Propagate the ancestral declaration so that the result is
correct when considered in isolation.
Ensure that whole-row variables expose nonempty column names to functions that pay attention to column names within composite arguments (Tom Lane)
In some contexts, constructs like
row_to_json(tab.*) may not produce the
expected column names. This is fixed properly as of 9.4;
in older branches, just ensure that we produce some
nonempty name. (In some cases this will be the underlying
table's column name rather than the query-assigned alias
that should theoretically be visible.)
Fix mishandling of system columns, particularly
tableoid, in FDW queries
as an index qualifier if that leads to an inferior plan
indexed_column = ANY
In some cases,
conditions applied to non-first index columns would be
done as index conditions even though it would be better
to use them as simple filter conditions.
Fix planner problems with nested append relations,
such as inherited tables within
UNION ALL subqueries (Tom Lane)
Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)
Exempt tables that have per-table
cost_delay settings from autovacuum's
global cost balancing rules (Álvaro Herrera)
The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.
Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.
During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund)
This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery.
Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being executed in hot standby.
Fix several cases where recovery logic improperly
ignored WAL records for
COMMIT/ABORT PREPARED (Heikki
The most notable oversight was that
recovery_target_xid could not be used to
stop at a two-phase commit.
Prevent latest WAL file from being archived a second time at completion of crash recovery (Fujii Masao)
Avoid creating unnecessary
.ready marker files for timeline
history files (Fujii Masao)
Fix possible null pointer dereference when an empty
prepared statement is used and the
log_statement setting is
Change “pgstat wait timeout” warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads “using stale statistics instead of current ones because stats collector is not responding”.
Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)
Warn if macOS's
setlocale() starts an unwanted extra
thread inside the postmaster (Noah Misch)
Fix processing of repeated
dbname parameters in
PQconnectdbParams() (Alex Shulgin)
Unexpected behavior ensued if the first occurrence of
dbname contained a
connection string or URI to be expanded.
Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.
Clear any old error message during
PQreset() (Heikki Linnakangas)
PQreset() is called
repeatedly, and the connection cannot be re-established,
error messages from the failed connection attempts kept
accumulating in the
PGconn's error string.
Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)
Fix array overrun in ecpg's version of
ParseDateTime() (Michael Paquier)
In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)
\s command to work nicely
with libedit, and add pager support (Stepan Rutz, Tom
When using libedit rather than readline,
\s printed the command history in a
fairly unreadable encoded format, and on recent libedit
versions might fail altogether. Fix that by printing the
history ourselves rather than having the library do it. A
pleasant side-effect is that the pager is used if
This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.
Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of
ON_ERROR_ROLLBACK. Report a warning for
unrecognized values for
VERBOSITY. Recognize all values for all
these variables case-insensitively; previously there was
a mishmash of case-sensitive and case-insensitive
expanded-mode display to work consistently when using
border = 3 and
unicode (Stephen Frost)
Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane)
Fix pg_dumpall to restore its ability to dump from pre-8.1 servers (Gilles Darold)
Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)
Fix core dump in
--binary-upgrade on zero-column composite type
Prevent WAL files created by
pg_basebackup -x/-X from being archived
again when the standby is promoted (Andres Freund)
Fix failure of
contrib/auto_explain to print per-node
timing information when doing
EXPLAIN ANALYZE (Tom Lane)
Fix upgrade-from-unpackaged script for
contrib/citext (Tom Lane)
Fix block number checking in
get_raw_page() (Tom Lane)
The incorrect checking logic could prevent access to some pages in non-main relation forks.
pgp_sym_decrypt() to not
fail on messages whose length is 6 less than a power of 2
Fix file descriptor leak in
contrib/pg_test_fsync (Jeff Janes)
This could cause failure to remove temporary files on Windows.
Handle unexpected query results, especially NULLs,
connectby() (Michael Paquier)
crashed if it encountered a NULL key value. It now prints
that row but doesn't recurse further.
Avoid a possible crash in
xslt_process() (Mark Simonetti)
libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.
functions with correct volatility properties (Tom
The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers.
Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31,
backends can crash at exit. Raise a warning during
configure based on the
compile-time OpenLDAP version number, and test the
crashing scenario in the
contrib/dblink regression test.
In non-MSVC Windows builds, ensure
libpq.dll is installed with execute
permissions (Noah Misch)
Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk
space usage during
check-world, since that sequence involves creation
of numerous temporary installations.
Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC
offset associated with a time zone abbreviation (such as
EST) never changes in the
usage of any particular locale. However this assumption
fails in the real world, so introduce the ability for a
zone abbreviation to represent a UTC offset that
sometimes changes. Update the zone abbreviation
definition files to make use of this feature in timezone
locales that have changed the UTC offset of their
abbreviations since 1970 (according to the IANA timezone
database). In such timezones, PostgreSQL will now associate the
correct UTC offset with the abbreviation depending on the
Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists. Remove references to ADT as “Arabia Daylight Time”, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with “Atlantic Daylight Time” doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.
Update time zone data files to tzdata release 2015a.
The IANA timezone database has adopted abbreviations
of the form
A for all
Australian time zones, reflecting what they believe to be
current majority practice Down Under. These names do not
conflict with usage elsewhere (other than ACST for Acre
Summer Time, which has been in disuse since 1994).
Accordingly, adopt these names into our “Default”
timezone abbreviation set. The “Australia”
abbreviation set now contains only CST, EAST, EST, SAST,
SAT, and WST, all of which are thought to be mostly
historical usage. Note that SAST has also been changed to
be South Africa Standard Time in the “Default”
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.