Release date: 2017-05-11
This release contains a variety of fixes from 9.2.20. For information about new features in the 9.2 major release, see Section E.109.
The PostgreSQL community will stop releasing updates for the 9.2.X release series in September 2017. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 9.2.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.2.20, see Section E.89.
Restrict visibility of
umoptions, to protect passwords
stored as user mapping options (Michael Paquier, Feike
The previous coding allowed the owner of a foreign
server object, or anyone he has granted server
USAGE permission to, to see
the options for all user mappings associated with that
server. This might well include passwords for other
users. Adjust the view definition to match the behavior
namely that these options are visible to the user being
mapped, or if the mapping is for
PUBLIC and the current user is the
server owner, or if the current user is a superuser.
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry for CVE-2017-7547, in Section E.87.
Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner
will apply user-defined operators to values obtained from
pg_statistic, such as
most common values and histogram entries. This occurs
before table permissions are checked, so a nefarious user
could exploit the behavior to obtain these values for
table columns he does not have permission to read. To
fix, fall back to a default estimate if the operator's
implementation function is not certified leak-proof and
the calling user does not have permission to read the
table column whose statistics are needed. At least one of
these criteria is satisfied in most cases in practice.
Fix possible corruption of “init forks” of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
Fix incorrect reconstruction of
pg_subtrans entries when a standby
server replays a prepared but uncommitted two-phase
transaction (Tom Lane)
In most cases this turned out to have no visible ill
effects, but in corner cases it could result in circular
pg_subtrans, potentially causing
infinite loops in queries that examine rows modified by
the two-phase transaction.
Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in
an extension script file, non-utility queries might not
see the effects of an immediately preceding catalog
change, such as
ALTER TABLE ...
Skip tablespace privilege checks when
ALTER TABLE ... ALTER COLUMN TYPE
rebuilds an existing index (Noah Misch)
The command failed if the calling user did not
privilege for the tablespace containing the index. That
behavior seems unhelpful, so skip the check, allowing the
index to be rebuilt where it is.
ALTER TABLE ... VALIDATE
CONSTRAINT to not recurse to child tables when the
constraint is marked
INHERIT (Amit Langote)
This fix prevents unwanted “constraint does not exist” failures when no matching constraint is present in the child tables.
VACUUM to account
properly for pages that could not be scanned due to
conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number
of tuples in the table. In the worst case of a small
VACUUM could incorrectly report that the
table contained no tuples, leading to very bad planning
Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
produce valid output with
tableforest = false
(Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping
Improve performance of
pg_timezone_names view (Tom Lane,
Fix sloppy handling of corner-case errors from
close() (Tom Lane)
Neither of these system calls are likely to fail in
typical situations, but if they did,
fd.c could get quite confused.
Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
Fix ecpg to support
COMMIT PREPARED and
ROLLBACK PREPARED (Masahiko
Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
Avoid emitting an invalid list file in
pg_restore -l when SQL object names
contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to
make the output valid for
pg_restore -L's purposes.
Fix pg_upgrade to transfer comments and security labels attached to “large objects” (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
Improve error handling in
pg_file_write() function (Noah
Notably, it failed to detect errors reported by
leaking the previous unnamed connection when establishing
a new unnamed connection (Joe Conway)
Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane)
This is a back-patch of work previously done in newer branches; it's needed since many platforms are adopting newer OpenSSL versions.
Support Tcl 8.6 in MSVC builds (Álvaro Herrera)
Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided
textual abbreviations for all time zones, sometimes
making up abbreviations that have little or no currency
among the local population. They are in process of
reversing that policy in favor of using numeric UTC
offsets in zones where there is no evidence of real-world
use of an English abbreviation. At least for the time
being, PostgreSQL will
continue to accept such removed abbreviations for
timestamp input. But they will not be shown in the
nor used for output.
Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install
posixrules file in the
timezone directory tree. This resulted in the timezone
code falling back to its built-in rule about what DST
behavior to assume for a POSIX-style time zone name. For
historical reasons that still corresponds to the DST
rules the USA was using before 2007 (i.e., change on
first Sunday in April and last Sunday in October). With
this fix, a POSIX-style zone name will use the current
and historical DST transition dates of the
US/Eastern zone. If you don't want that,
or replace it with a copy of some other zone file (see
Section 8.5.3). Note
that due to caching, you may need to restart the server
to get such changes to take effect.
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.