Release date: 2017-08-10
This release contains a variety of fixes from 9.4.12. For information about new features in the 9.4 major release, see Section E.58.
A dump/restore is not required for those running 9.4.X.
However, if you use foreign data servers that make use of user passwords for authentication, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.12, see Section E.46.
Further restrict visibility of
umoptions, to protect passwords
stored as user mapping options (Noah Misch)
The fix for CVE-2017-7486 was incorrect: it allowed a
user to see the options in her own user mapping, even if
she did not have
permission on the associated foreign server. Such options
might include a password that had been provided by the
server owner rather than the user herself. Since
does not show the options in such cases,
pg_user_mappings should not either.
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding
allow_system_table_mods = true to
SYSTEM, you can use that to make the
configuration change, but you'll still need a
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the
template1 databases, or the
vulnerability will still exist in databases you
create later. To fix
template0, you'll need to
temporarily make it accept connections. In
PostgreSQL 9.5 and
later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing
template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the
configuration setting, and again restart the
Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)
libpq ignores empty
password specifications, and does not transmit them to
the server. So, if a user's password has been set to the
empty string, it's impossible to log in with that
password via psql or
clients. An administrator might therefore believe that
setting the password to empty is equivalent to disabling
password login. However, with a modified or
logging in could be possible, depending on which
authentication method is configured. In particular the
most common method,
accepted empty passwords. Change the server to reject
empty passwords in all cases. (CVE-2017-7546)
lo_put() check for
UPDATE privilege on the
target large object (Tom Lane, Michael Paquier)
lo_put() should surely
require the same permissions as
lowrite(), but the check was missing,
allowing any user to change the data in a large object.
Fix concurrent locking of tuple update chains (Álvaro Herrera)
If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.
Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)
Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)
On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)
This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.
Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)
Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)
Prevent sending SSL session tickets to clients (Tom Lane)
This fix prevents reconnection failures with ticket-aware client-side SSL code.
Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)
Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)
Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.
Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)
This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.
Fix possible creation of an invalid WAL segment when a
standby is promoted just after it processes an
XLOG_SWITCH WAL record
Fix walsender to exit promptly when client requests shutdown (Tom Lane)
Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)
Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)
Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)
Fix logical decoding failure with very wide tuples (Andres Freund)
Logical decoding crashed on tuples that are wider than
64KB (after compression, but with all data in-line). The
case arises only when
IDENTITY FULL is enabled for a table containing
Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)
This resulted in temporary files consuming excessive disk space.
Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)
The previous algorithm was infeasibly expensive on a server with a lot of open transactions.
Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)
Reduce overhead in processing syscache invalidation events (Tom Lane)
This is particularly helpful for logical decoding, which triggers frequent cache invalidation.
Fix cases where an
UPDATE assigns to more
than one element of a column that is of domain-over-array
type (Tom Lane)
Allow window functions to be used in sub-
SELECTs that are within the arguments of
an aggregate function (Tom Lane)
Move autogenerated array types out of the way during
ALTER ... RENAME (Vik
Previously, we would rename a conflicting
autogenerated array type out of the way during
CREATE; this fix extends
that behavior to renaming operations.
ALTER USER ...
SET accepts all the syntax variants that
ALTER ROLE ... SET does
Properly update dependency info when changing a
datatype I/O function's argument or return type from
opaque to the correct type
CREATE TYPE updates I/O
functions declared in this long-obsolete style, but it
forgot to record a dependency on the type, allowing a
DROP TYPE to
leave broken function definitions behind.
Reduce memory usage when
ANALYZE processes a
tsvector column (Heikki Linnakangas)
Fix unnecessary precision loss and sloppy rounding
when multiplying or dividing
money values by integers or floats (Tom
Tighten checks for whitespace in functions that parse
identifiers, such as
regprocedurein() (Tom Lane)
Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.
symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom
This avoids portability problems, typically manifesting as a “handshake” mismatch during library load, when working with recent Perl versions.
In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)
Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.
In psql, fix failure
COPY FROM STDIN is
ended with a keyboard EOF signal and then another
COPY FROM STDIN is attempted
This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.
Fix pg_dump and
pg_restore to emit
REFRESH MATERIALIZED VIEW
commands last (Tom Lane)
This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.
Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Álvaro Herrera)
Fix pg_dump with the
--clean option to drop event
triggers as expected (Tom Lane)
It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.
Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)
Fix pg_dump output to stdout on Windows (Kuntal Ghosh)
A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
print correct output for the
SELECT rule of a view whose columns have been
renamed (Tom Lane)
In some corner cases, pg_dump relies on
pg_get_ruledef() to dump views, so that
this error could result in dump/reload failures.
Fix dumping of outer joins with empty constraints,
such as the result of a
LEFT JOIN with no common columns (Tom Lane)
Fix dumping of function expressions in the
FROM clause in cases where
the expression does not deparse into something that looks
like a function call (Tom Lane)
Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)
A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.
Fix pg_upgrade to
ensure that the ending WAL record does not have wal_level =
minimum (Bruce Momjian)
This condition could prevent upgraded standby servers from reconnecting.
re-establish connections to remote servers after
ALTER SERVER or
ALTER USER MAPPING commands (Kyotaro
This ensures that option changes affecting connection parameters will be applied promptly.
cancellation of remote transaction control commands
(Robert Haas, Rafia Sabih)
This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.
MAX_SYSCACHE_CALLBACKS to provide more
room for extensions (Tom Lane)
-fpic, when building shared
libraries with gcc (Tom Lane)
This supports larger extension libraries on platforms where it makes a difference.
Fix unescaped-braces issue in our build scripts for Microsoft MSVC, to avoid a warning or error from recent Perl versions (Andrew Dunstan)
In MSVC builds, handle the case where the OpenSSL library is not within a
VC subdirectory (Andrew
In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)
This fixes a former need to move things around in standard Windows installations of libxml2.
In MSVC builds, recognize a Tcl library that is named
tcl86.lib (Noah Misch)
In MSVC builds, honor
PROVE_FLAGS settings on
vcregress.pl's command line (Andrew
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.