Release date: 2018-03-01
This release contains a variety of fixes from 10.2. For information about new features in major release 10, see Section E.7.
A dump/restore is not required for those running 10.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 10.2, see Section E.5.
Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
setting that includes any schemas writable by a hostile
user enables that user to capture control of queries and
then run arbitrary SQL code with the permissions of the
attacked user. While it is possible to write queries that
are proof against such hijacking, it is notationally
tedious, and it's very easy to overlook holes. Therefore,
we now recommend configurations in which no untrusted
schemas appear in one's search path. Relevant
documentation appears in Section 5.8.6 (for
database administrators and users), Section 34.1
(for application authors), Section 38.16.1
(for extension authors), and CREATE
FUNCTION (for authors of
SECURITY DEFINER functions).
Avoid use of insecure
search_path settings in pg_dump and other client programs
(Noah Misch, Tom Lane)
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
were themselves vulnerable to the type of hijacking
described in the previous changelog entry; since these
applications are commonly run by superusers, they present
particularly attractive targets. To make them secure
whether or not the installation as a whole has been
secured, modify them to include only the
pg_catalog schema in their
Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly
executed by these programs — for example, user-provided
functions in index expressions — the tighter
search_path may result in errors, which
will need to be corrected by adjusting those
user-provided functions to not assume anything about what
search path they are invoked under. That has always been
good practice, but now it will be necessary for correct
Prevent logical replication from trying to ship changes for unpublishable relations (Peter Eisentraut)
A publication marked
TABLES would incorrectly ship changes in
materialized views and
information_schema tables, which are
supposed to be omitted from the change stream.
Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
If a CTE (
reference) is used in an InitPlan or SubPlan, and the
query requires a recheck due to trying to update or lock
a concurrently-updated row, incorrect results could be
Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to “left and right pathkeys do not match in mergejoin” or “outer pathkeys do not match mergeclauses” planner errors in corner cases.
failure to preserve
relfrozenxid for materialized views
(Tom Lane, Andres Freund)
This oversight could lead to data corruption in
materialized views after an upgrade, manifesting as
“could not access
status of transaction” or “found xmin from before
relfrozenxid” errors. The problem would be
more likely to occur in seldom-refreshed materialized
views, or ones that were maintained only with
REFRESH MATERIALIZED VIEW
If such corruption is observed, it can be repaired by
refreshing the materialized view (without
Fix incorrect pg_dump output for some non-default sequence limit values (Alexey Bashtanov)
objects (Tom Lane)
An extended statistics object's schema was mislabeled in the dump's table of contents, possibly leading to the wrong results in a schema-selective restore. Its ownership was not correctly restored, either. Also, change the logic so that statistics objects are dumped/restored, or not, as independent objects rather than tying them to the dump/restore decision for the table they are on. The original definition could not scale to the planned future extension to cross-table statistics.
Fix incorrect reporting of PL/Python function names in
CONTEXT stacks (Tom
An error occurring within a nested PL/Python function
call (that is, one reached via a SPI query from another
PL/Python function) would result in a stack trace showing
the inner function's name twice, rather than the expected
results. Also, an error in a nested PL/Python
DO block could result in a
null pointer dereference crash on some platforms.
log_min_duration setting to range up to
INT_MAX, or about 24 days
instead of 35 minutes (Tom Lane)
Mark assorted GUC variables as
PGDLLIMPORT, to ease porting extension
modules to Windows (Metin Doslu)
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.