== PostgreSQL Weekly News - March 04 2018 ==

From: David Fetter <david(at)fetter(dot)org>
To: PostgreSQL Announce <pgsql-announce(at)postgresql(dot)org>
Subject: == PostgreSQL Weekly News - March 04 2018 ==
Date: 2018-03-04 20:18:17
Message-ID: 20180304201817.GA16953@fetter.org
Views: Raw Message | Whole Thread | Download mbox
Lists: pgsql-announce

== PostgreSQL Weekly News - March 04 2018 ==

PostgreSQL security releases 10.3, 9.6.8, 9.5.12, 9.4.17, and 9.3.22 are out.
Please read the announcement below and upgrade as soon as possible.

== PostgreSQL Product News ==

pgFormatter 3.0, a formatter/beautifier for SQL code, released.

== PostgreSQL Jobs for March ==


== PostgreSQL Local ==

PostgreSQL(at)SCaLE is a two day, two track event which takes place on
March 8-9, 2018, at Pasadena Convention Center, as part of SCaLE 16X.

Nordic PGDay 2018 will be held in Oslo, Norway, at the Radisson Blu Hotel
Nydalen, on March 13, 2018. Registration is open and the schedule is posted.

pgDay Paris 2018 will be held in Paris, France at the Espace Saint-Martin, on
March 15 2018. Registration is open.

PGConf APAC 2018 will be held in Singapore March 22-23, 2018.

The German-speaking PostgreSQL Conference 2018 will take place on April 13th,
2018 in Berlin.

PGConfNepal 2018 will be held May 4-5, 2018 at Kathmandu University, Dhulikhel,

PGCon 2018 will take place in Ottawa on May 29 - June 1, 2018.

Swiss PGDay 2018 will take place in Rapperswil (near Zurich) on June 29, 2018.
The CfP is open February 6, 2018 through April 14, 2018, and registration is
open February 6, 2018 through June 28, 2018.

PGConf.Brazil 2018 will take place in São Paulo, Brazil on August 3-4 2018. The
CfP is open until February 28, 2018.

== PostgreSQL in the News ==

Planet PostgreSQL: http://planet.postgresql.org/

PostgreSQL Weekly News is brought to you this week by David Fetter

Submit news and announcements by Sunday at 3:00pm EST5EDT. Please send English
language ones to david(at)fetter(dot)org, German language to pwn(at)pgug(dot)de, Italian
language to pwn(at)itpug(dot)org(dot)

== Applied Patches ==

Robert Haas pushed:

- Add a new upper planner relation for partially-aggregated results. Up until
now, we've abused grouped_rel->partial_pathlist as a place to store partial
paths that have been partially aggregate, but that's really not correct,
because a partial path for a relation is supposed to be one which produces the
correct results with the addition of only a Gather or Gather Merge node, and
these paths also require a Finalize Aggregate step. Instead, add a new
partially_group_rel which can hold either partial paths (which need to be
gathered and then have aggregation finalized) or non-partial paths (which only
need to have aggregation finalized). This allows us to reuse
generate_gather_paths for partially_grouped_rel instead of writing new code,
so that this patch actually basically no net new code while making things
cleaner, simplifying things for pending patches for partition-wise aggregate.
Robert Haas and Jeevan Chalke. The larger patch series of which this patch is
a part was also reviewed and tested by Antonin Houska, Rajkumar Raghuwanshi,
David Rowley, Dilip Kumar, Konstantin Knizhnik, Pascal Legrand, Rafia Sabih,
and me. Discussion:

- Minor cleanup of code related to partially_grouped_rel. Jeevan Chalke

- Fix logic error in add_paths_to_partial_grouping_rel. Commit
3bf05e096b9f8375e640c5d7996aa57efd7f240c sometimes uses the
cheapest_partial_path variable in this function to mean the cheapest one from
the input rel and at other times the cheapest one from the partially grouped
rel, but it never resets it, so we can end up with bad plans, leading to
"ERROR: Aggref found in non-Agg plan node". Jeevan Chalke, per a report from
Andreas Joseph Krogh and a separate off-list report from Rajkumar Raghuwanshi

- doc: Fix grammar. Michael Paquier Discussion:

- Update and improve comments. Commits 6f6b99d1335be8ea1b74581fc489a97b109dd08a
and f3b0897a1213f46b4d3a99a7f8ef3a4b32e03572 didn't properly update these
comments. Etsuro Fujita, reviewed by Amit Langote Discussion:

- postgres_fdw: Third attempt to stabilize regression tests. Commit
1bc0100d270e5bcc980a0629b8726a32a497e788 added this test, and commit
882ea509fe7a4711fe25463427a33262b873dfa1 tried to stabilize it. There were
still failures, so commit 958e20e42d6c346ab89f6c72e4262230161d1663 tried again
to stabilize it. That approach is still failing on jaguarundi, though, so
back it out and try something else. Specifically, instead of disabling remote
estimates for the table in question, let's tell autovacuum to leave it alone.
Etsuro Fujita Discussion: http://postgr.es/m/5A82DCCE.3060107@lab.ntt.co.jp

- Fix assertion failure when Parallel Append is run serially. Parallel-aware
plan nodes must be prepared to run without parallelism if it's not possible at
execution time for whatever reason. Commit
ab72716778128fb63d54ac256adf7fe6820a1185, which introduced Parallel Append,
overlooked this. Rajkumar Raghuwanshi reported this problem, and I included
his test case in this patch. The code changes are by me. Discussion:

- Document LWTRANCHE_PARALLEL_HASH_JOIN. Thomas Munro Discussion:

- For partitionwise join, match on partcollation, not parttypcoll. The previous
code considered two tables to have the partition scheme if the underlying
columns had the same collation, but what we actually need to compare is not
the collations associated with the column but the collation used for
partitioning. Fix that. Robert Haas and Amit Langote Discussion:

- shm_mq: Reduce spinlock usage. Previously, mq_bytes_read and mq_bytes_written
were protected by the spinlock, but that turns out to cause pretty serious
spinlock contention on queries which send many tuples through a Gather or
Gather Merge node. This patches changes things so that we instead read and
write those values using 8-byte atomics. Since mq_bytes_read can only be
changed by the receiver and mq_bytes_written can only be changed by the
sender, the only purpose of the spinlock is to prevent reads and writes of
these values from being torn on platforms where 8-byte memory access is not
atomic, making the conversion fairly straightforward. Testing shows that this
produces some slowdown if we're using emulated 64-bit atomics, but since they
should be available on any platform where performance is a primary concern,
that seems OK. It's faster, sometimes a lot faster, on platforms where such
atomics are available. Patch by me, reviewed by Andres Freund, who also
suggested the design. Also tested by Rafia Sabih. Discussion:

- shm_mq: Have the receiver set the sender's less frequently. Instead of
marking data from the ringer buffer consumed and setting the sender's latch
for every message, do it only when the amount of data we can consume is at
least 1/4 of the size of the ring buffer, or when no data remains in the ring
buffer. This is dramatically faster in my testing; apparently, the savings
from sending signals less frequently outweighs the benefit of letting the
sender know about available buffer space sooner. Patch by me, reviewed by
Andres Freund and tested by Rafia Sabih. Discussion:

- postgres_fdw: Fourth attempt to stabilize regression tests. Commit
1bc0100d270e5bcc980a0629b8726a32a497e788 added this test, and commits
4fa396464e5fe238b7994535182f28318c61c78e tried to stabilize it. It's still
not stable, so keep trying. The latest comment from Tom Lane is that
disabling autovacuum seems like a good strategy, but we might need to do it on
more tables, hence this patch. Etsuro Fujita Discussion:

Peter Eisentraut pushed:

- Fix typo in internal error message.

- Fix warnings in man page build. The changes in the CREATE POLICY man page
from commit 87c2a17fee784c7e1004ba3d3c5d8147da676783 triggered a stylesheet
bug that created some warning messages and incorrect output. This installs a
workaround. Also improve the whitespace a bit so it looks better.

- doc: Improve man build speed. Turn off man.endnotes.are.numbered parameter,
which we don't need, but which increases performance vastly if off. Also turn
on man.output.quietly, which also makes things a bit faster, but which is also
less useful now as a progress indicator because the build is so fast now.

- Add prokind column, replacing proisagg and proiswindow. The new column
distinguishes normal functions, procedures, aggregates, and window functions.
This replaces the existing columns proisagg and proiswindow, and replaces the
convention that procedures are indicated by prorettype == 0. Also change
prorettype to be VOIDOID for procedures. Reviewed-by: Tom Lane
<tgl(at)sss(dot)pgh(dot)pa(dot)us> Reviewed-by: Michael Paquier <michael(at)paquier(dot)xyz>

- Add PG_TEST_EXTRA to control optional test suites. The SSL and LDAP test
suites are not run by default, as they are not secure for multi-user
environments. This commit adds an extra make variable to optionally enable
them, for example: make check-world PG_TEST_EXTRA='ldap ssl' Author: Michael
Paquier <michael(at)paquier(dot)xyz>

- In SSL tests, restart after pg_hba.conf changes. This prevents silently using
a wrong configuration, similar to b4e2ada347bd8ae941171bd0761462e5b11b765d.

- Prevent LDAP and SSL tests from running without support in build. Add checks
in each test file that the build supports the feature, otherwise skip all the
tests. Before, if someone were to (accidentally) invoke these tests without
build support, they would fail in confusing ways. based on patch from Michael
Paquier <michael(at)paquier(dot)xyz>

- doc: Improve wording.

- Minor fixes for reloptions tests. Follow-up to
4b95cc1dc36c9d1971f757e9b519fcc442833f0e Author: Nikolay Shaplov

- doc: Fix links to pg_stat_replication. In PostgreSQL 9.5, the documentation
for pg_stat_replication was moved, so some of the links pointed to an
appropriate location. Author: Maksim Milyutin <milyutinma(at)gmail(dot)com>

- doc: Small wording improvement. Replace "checkpoint segment" with "WAL
segment". Reported-by: Maksim Milyutin <milyutinma(at)gmail(dot)com>

- PL/pgSQL: Simplify RETURN checking for procedures. Check at compile time that
RETURN in a procedure does not specify a parameter, rather than at run time.

Álvaro Herrera pushed:

- Update PartitionTupleRouting struct comment. Small review on edd44738bc88.
Discussion: https://postgr.es/m/20180222165315.k27qfn4goskhoswj@alvherre.pgsql
Reviewed-by: Robert Haas, Amit Langote

- Relax overly strict sanity check for upgraded ancient databases. Commit
4800f16a7ad0 added some sanity checks to ensure we don't accidentally corrupt
data, but in one of them we failed to consider the effects of a database
upgraded from 9.2 or earlier, where a tuple exclusively locked prior to the
upgrade has a slightly different bit pattern. Fix that by using the macro
that we fixed in commit 74ebba84aeb6 for similar situations. Reported-by:
Alexandre Garcia Reviewed-by: Andres Freund Discussion:
Andres suspects that this bug may have wider ranging consequences, but I
couldn't find anything.

Tom Lane pushed:

- Improve regression test coverage of regress.c. It's a bit silly to have test
functions that aren't tested, so test them. In passing, rename
int44in/int44out to city_budget_in/_out so that they match how the regression
tests use them. Also, fix city_budget_out so that it emits the format
city_budget_in expects to read; otherwise we'd have dump/reload failures when
testing pg_dump against the regression database. (We avoided that in the past
only because no data of type city_budget was actually stored anywhere.)
Discussion: https://postgr.es/m/29322.1519701006@sss.pgh.pa.us

- Remove unused functions in regress.c. This patch removes five functions that
presumably were once used in the regression tests, but haven't been so used in
many years. Nonetheless we've been wasting maintenance effort on them (e.g.,
by converting them to V1 function protocol). I see no reason to think that
reviving them would add any useful test coverage, so drop 'em. In passing,
mark regress_lseg_construct static, since it's not called from outside this
file. Discussion: https://postgr.es/m/29322.1519701006@sss.pgh.pa.us

- Prevent dangling-pointer access when update trigger returns old tuple. A
before-update row trigger may choose to return the "new" or "old" tuple
unmodified. ExecBRUpdateTriggers failed to consider the second possibility,
and would proceed to free the "old" tuple even if it was the one returned,
leading to subsequent access to already-deallocated memory. In debug builds
this reliably leads to an "invalid memory alloc request size" failure; in
production builds it might accidentally work, but data corruption is also
possible. This is a very old bug. There are probably a couple of reasons it
hasn't been noticed up to now. It would be more usual to return NULL if one
wanted to suppress the update action; returning "old" is significantly less
efficient since the update will occur anyway. Also, none of the standard PLs
would ever cause this because they all returned freshly-manufactured tuples
even if they were just copying "old". But commit 4b93f5799 changed that for
plpgsql, making it possible to see the bug with a plpgsql trigger. Still,
this is certainly legal behavior for a trigger function, so it's
ExecBRUpdateTriggers's fault not plpgsql's. It seems worth creating a test
case that exercises returning "old" directly with a C-language trigger;
testing this through plpgsql seems unreliable because its behavior might
change again. Report and fix by Rushabh Lathia; regression test case by me.
Back-patch to all supported branches. Discussion:

- Revert renaming of int44in/int44out. This seemed like a good idea in commit
be42eb9d6, but it causes more trouble than it's worth for cross-branch upgrade
testing. Discussion: https://postgr.es/m/11927.1519756619@sss.pgh.pa.us

- Use the correct tuplestore read pointer in a NamedTuplestoreScan. Tom
Kazimiers reported that transition tables don't work correctly when they are
scanned by more than one executor node. That's because commit 18ce3a4ab
allocated separate read pointers for each executor node, as it must, but
failed to make them active at the appropriate times. Repair. Thomas Munro

- Fix up ecpg's configuration so it handles "long long int" in MSVC builds.
Although configure-based builds correctly define HAVE_LONG_LONG_INT when
appropriate (in both pg_config.h and ecpg_config.h), builds using the MSVC
scripts failed to do so. This currently has no impact on the backend, since
it uses that symbol nowhere; but it does prevent ecpg from supporting "long
long int". Fix that. Also, adjust Solution.pm so that in the constructed
ecpg_config.h file, the "#if (_MSC_VER > 1200)" covers only the
LONG_LONG_INT-related #defines, not the whole file. AFAICS this was a thinko
on somebody's part: ENABLE_THREAD_SAFETY should always be defined in Windows
builds, and in branches using USE_INTEGER_DATETIMES, the setting of that
shouldn't depend on the compiler version either. If I'm wrong, I imagine the
buildfarm will say so. Per bug #15080 from Jonathan Allen; issue diagnosed by
Michael Meskes and Andrew Gierth. Back-patch to all supported branches.

- Remove restriction on SQL block length in isolationtester scanner.
specscanner.l had a fixed limit of 1024 bytes on the length of individual SQL
stanzas in an isolation test script. People are starting to run into that, so
fix it by making the buffer resizable. Once we allow this in HEAD, it seems
inevitable that somebody will try to back-patch a test that exceeds the old
limit, so back-patch this change as a preventive measure. Daniel Gustafsson
Discussion: https://postgr.es/m/8D628BE4-6606-4FF6-A3FF-8B2B0E9B43D0@yesql.se

- Rename base64 routines to avoid conflict with Solaris built-in functions.
Solaris 11.4 has built-in functions named b64_encode and b64_decode. Rename
ours to something else to avoid the conflict (fortunately, ours are static so
the impact is limited). One could wish for less duplication of code in this
area, but that would be a larger patch and not very suitable for
back-patching. Since this is a portability fix, we want to put it into all
supported branches. Report and initial patch by Rainer Orth, reviewed and
adjusted a bit by Michael Paquier Discussion:

- Doc: remove duplicate poly_ops row from SP-GiST opclass table. Commit
ff963b393 added two identical copies of this row. Dagfinn Ilmari Mannsåker
Discussion: https://postgr.es/m/d8j8tdevb7x.fsf@dalvik.ping.uio.no

- Remove redundant IndexTupleDSize macro. Use IndexTupleSize everywhere,
instead. Also, remove IndexTupleSize's internal typecast, as that's not
really needed and might mask coding errors. Change some pointer variable
datatypes in the call sites to compensate for that and make it clearer what
we're assuming. Ildar Musin, Robert Haas, Stephen Frost Discussion:

- Avoid using unsafe search_path settings during dump and restore.
Historically, pg_dump has "set search_path = foo, pg_catalog" when dumping an
object in schema "foo", and has also caused that setting to be used while
restoring the object. This is problematic because functions and operators in
schema "foo" could capture references meant to refer to pg_catalog entries,
both in the queries issued by pg_dump and those issued during the subsequent
restore run. That could result in dump/restore misbehavior, or in privilege
escalation if a nefarious user installs trojan-horse functions or operators.
This patch changes pg_dump so that it does not change the search_path
dynamically. The emitted restore script sets the search_path to what was used
at dump time, and then leaves it alone thereafter. Created objects are placed
in the correct schema, regardless of the active search_path, by dint of
schema-qualifying their names in the CREATE commands, as well as in subsequent
ALTER and ALTER-like commands. Since this change requires a change in the
behavior of pg_restore when processing an archive file made according to this
new convention, bump the archive file version number; old versions of
pg_restore will therefore refuse to process files made with new versions of
pg_dump. Security: CVE-2018-1058

- Last-minute updates for release notes. Security: CVE-2018-1058

- Schema-qualify references in test_ddl_deparse test script. This omission
seems to be what is causing buildfarm failures on crake. Security:

- Fix format_type() to restore its old behavior. Commit a26116c6c accidentally
changed the behavior of the SQL format_type() function while refactoring. For
the reasons explained in that function's comment, a NULL typemod argument
should behave differently from a -1 argument. Since we've managed to break
this, add a regression test memorializing the intended behavior. In passing,
be consistent about the type of the "flags" parameter. Noted by Rushabh
Lathia, though I revised the patch some more. Discussion:

- Remove out-of-date comment about formrdesc(). formrdesc's comment listed the
specific catalogs it is called for, but the list was out of date. Rather than
jumping back onto that maintenance treadmill, let's just remove the list. It
tells the reader nothing that can't be learned quickly and more reliably by
searching relcache.c for callers of formrdesc(). Oversight noted by Kyotaro
Horiguchi. Discussion:

- Fix IOS planning when only some index columns can return an attribute. Since
9.5, it's possible that some but not all columns of an index support returning
the indexed value for index-only scans. If the same indexed column appears in
index columns that behave both ways, check_index_only() supposed that it'd be
OK to do an index-only scan testing that column; but that fails if we have to
recheck the indexed condition on one of the columns that doesn't support this.
In principle we could make this work by remapping the recheck expressions to
pull the value from a column that does support returning the indexed value.
But such cases are so weird and rare that, at least for now, it doesn't seem
worth the trouble. Instead, just teach check_index_only that a value is
returnable only if all the index columns containing it are returnable, rather
than any of them. Per report from David Pereiro Lagares. Back-patch to 9.5
where the possibility of this situation appeared. Kyotaro Horiguchi
Discussion: https://postgr.es/m/1516210494.1798.16.camel@nlpgo.com

- Use ereport not elog for some corrupt-HOT-chain reports. These errors have
been seen in the field in corrupted-data situations. It seems worthwhile to
report them with ERRCODE_DATA_CORRUPTED, rather than the generic
ERRCODE_INTERNAL_ERROR, for the benefit of log monitoring and tools like
amcheck. However, use errmsg_internal so that the text strings still aren't
translated; it seems unlikely to be worth translators' time to do so.
Back-patch to 9.3, like the predecessor commit d70cf811f that introduced these
elog calls originally (replacing Asserts). Peter Geoghegan Discussion:

- Make gistvacuumcleanup() count the actual number of index tuples. Previously,
it just returned the heap tuple count, which might be only an estimate, and
would be completely the wrong thing if the index is partial. Since this
function scans every index page anyway to find free pages, it's practically
free to count the surviving index tuples. Let's do that and return an
accurate count. This is easily visible as a wrong reltuples value for a
partial GiST index following VACUUM, so back-patch to all supported branches.
Andrey Borodin, reviewed by Michail Nikolaev Discussion:

- Fix pgbench TAP test to work in VPATH builds. Previously, it'd try to create
log files under the source directory not the build directory. This fell over
if the source isn't writable by the building user. Fabien Coelho Discussion:

- Fix VM buffer pin management in heap_lock_updated_tuple_rec(). Sloppy coding
in this function could lead to leaking a VM buffer pin, or to attempting to
free the same pin twice. Repair. While at it, reduce the code's tendency to
free and reacquire the same page pin. Back-patch to 9.6; before that, this
routine did not concern itself with VM pages. Amit Kapila and Tom Lane

- Minor cleanup in genbki.pl. Separate out the pg_attribute logic of genbki.pl
into its own function. Drop unnecessary "defined $catalog->{data}" check.
This both narrows and shortens the data writing loop of the script. There is
no functional change (the emitted files are the same as before). John Naylor

- Trivial adjustments in preparation for bootstrap data conversion. Rationalize
a couple of macro names: * In catalog/pg_init_privs.h, rename
Anum_pg_init_privs_privs to Anum_pg_init_privs_initprivs to match the column's
actual name. * In ecpg, rename ZPBITOID to BITOID to match catalog/pg_type.h.
This reduces reader confusion, and will allow us to generate these macros
automatically in future. In catalog/pg_tablespace.h, fix the ordering of
related DATA and #define lines to agree with how it's done elsewhere. This
has no impact today, but simplifies life for the bootstrap data conversion
scripts. John Naylor Discussion:

- Fix assorted issues in convert_to_scalar(). If convert_to_scalar is passed a
pair of datatypes it can't cope with, its former behavior was just to
elog(ERROR). While this is OK so far as the core code is concerned, there's
extension code that would like to use scalarltsel/scalargtsel/etc as
selectivity estimators for operators that work on non-core datatypes, and this
behavior is a show-stopper for that use-case. If we simply allow
convert_to_scalar to return FALSE instead of outright failing, then the main
logic of scalarltsel/scalargtsel will work fine for any operator that behaves
like a scalar inequality comparison. The lack of conversion capability will
mean that we can't estimate to better than histogram-bin-width precision,
since the code will effectively assume that the comparison constant falls at
the middle of its bin. But that's still a lot better than nothing. (Someday
we should provide a way for extension code to supply a custom version of
convert_to_scalar, but today is not that day.) While poking at this issue, we
noted that the existing code for handling type bytea in convert_to_scalar is
several bricks shy of a load. It assumes without checking that if the
comparison value is type bytea, the bounds values are too; in the worst case
this could lead to a crash. It also fails to detoast the input values, so
that the comparison result is complete garbage if any input is toasted
out-of-line, compressed, or even just short-header. I'm not sure how often
such cases actually occur --- the bounds values, at least, are probably safe
since they are elements of an array and hence can't be toasted. But that
doesn't make this code OK. Back-patch to all supported branches, partly
because author requested that, but mostly because of the bytea bugs. The
change in API for the exposed routine convert_network_to_scalar() is
theoretically a back-patch hazard, but it seems pretty unlikely that any
third-party code is calling that function directly. Tomas Vondra, with some
adjustments by me Discussion:

Andres Freund pushed:

- pgbench: consolidate a few PQfinish calls. Author: Doug Rady Discussion:

- doc: Add random_zipfian to list of random functions with argument. Author:
Ildar Musin Reviewed-By: Fabian Coelho Discussion:

- doc: Add WaitForBackgroundWorkerShutdown() to bgw docs. Commit 924bcf4f16d
added WaitForBackgroundWorkerShutdown, but didn't add it to the documentation.
Fix that and two small spelling errors in the WaitForBackgroundWorkerStartup
paragraph. Author: Daniel Gustafsson Discussion:

- doc: mention PROVE_TESTS in section of TAP tests. Author: Michael Paquier
Discussion: https://postgr.es/m/20180217140305.GB31338@paquier.xyz

- pg_regress: Increase space available for test names. A few isolationtester
tests with reasonable names are too wide to nicely align. Increase space.
Author: Thomas Munro Discussion:

- Remove volatile qualifiers from shm_mq.c. Since commit 0709b7ee, spinlock
primitives include a compiler barrier so it is no longer necessary to access
either spinlocks or the memory they protect through pointer-to-volatile. Like
earlier commits e93b6298, d53e3d5f, 430008b5, 8f6bb851, df4077cd. Author:
Thomas Munro Discussion:

- Minor clean-up in dshash.{c,h}. For consistency with other code that deals in
numbers of buckets, the macro BUCKETS_PER_PARTITION should produce a value of
type size_t. Also, fix a mention of an obsolete proposed name for dshash.c
that appeared in a comment. Author: Thomas Munro, based on an observation
from Amit Kapila Discussion:

Noah Misch pushed:

- Document security implications of search_path and the public schema. The
ability to create like-named objects in different schemas opens up the
potential for users to change the behavior of other users' queries,
maliciously or accidentally. When you connect to a PostgreSQL server, you
should remove from your search_path any schema for which a user other than
yourself or superusers holds the CREATE privilege. If you do not, other users
holding CREATE privilege can redefine the behavior of your commands, causing
them to perform arbitrary SQL statements under your identity. "SET
search_path = ..." and "SELECT pg_catalog.set_config(...)" are not vulnerable
to such hijacking, so one can use either as the first command of a session.
As special exceptions, the following client applications behave as documented
regardless of search_path settings and schema privileges: clusterdb createdb
createlang createuser dropdb droplang dropuser ecpg (not programs it
generates) initdb oid2name pg_archivecleanup pg_basebackup pg_config
pg_controldata pg_ctl pg_dump pg_dumpall pg_isready pg_receivewal
pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby pg_test_fsync
pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb vacuumlo. Not
included are core client programs that run user-specified SQL commands, namely
psql and pgbench. PostgreSQL encourages non-core client applications to do
likewise. Document this in the context of libpq connections, psql
connections, dblink connections, ECPG connections, extension packaging, and
schema usage patterns. The principal defense for applications is "SELECT
pg_catalog.set_config('search_path', '', false)", and the principal defense
for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC". Either one is
sufficient to prevent attack. After a REVOKE, consider auditing the public
schema for objects named like pg_catalog objects. Authors of SECURITY DEFINER
functions use some of the same defenses, and the CREATE FUNCTION reference
page already covered them thoroughly. This is a good opportunity to audit
SECURITY DEFINER functions for robust security practice. Back-patch to 9.3
(all supported versions). Reviewed by Michael Paquier and Jonathan S. Katz.
Reported by Arseniy Sharoglazov. Security: CVE-2018-1058

- Empty search_path in Autovacuum and non-psql/pgbench clients. This makes the
client programs behave as documented regardless of the connect-time
search_path and regardless of user-created objects. Today, a malicious user
with CREATE permission on a search_path schema can take control of certain of
these clients' queries and invoke arbitrary SQL functions under the client
identity, often a superuser. This is exploitable in the default
configuration, where all users have CREATE privilege on schema "public". This
changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code bearing
unqualified names, "does not exist" or "no schema has been selected to create
in" errors might appear. Users may fix such errors by schema-qualifying
affected names. After upgrading, consider watching server logs for these
errors. The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That now
fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still performs a
checkpoint. Back-patch to 9.3 (all supported versions). Reviewed by Tom
Lane, though this fix strategy was not his first choice. Reported by Arseniy
Sharoglazov. Security: CVE-2018-1058

Fujii Masao pushed:

- Improve tab-completion for ALTER INDEX RESET/SET. Author: Masahiko Sawada

Magnus Hagander pushed:

- Fix msvc builds for ActivePerl > 5.24. From this version ActivePerl ships
both a .lib and a .a file for the perl library, which our code would detect as
there being no library available. Instead, we should pick the .lib version and
use that. Report and suggested fix in bug #15065 Author: Heath Lord

== Pending Patches ==

Ashutosh Bapat sent in another revision of a patch to improve the partition
matching algorithm for partition-wise JOINs.

Ashutosh Bapat sent in a patch to optimize nested ConvertRowtypeExpr execution.

Ildus Kurbangaliev sent in another revision of a patch to implement custom
compression methods.

Nikita Glukhov sent in another revision of a patch to implement SQL/JSON

Nikita Glukhov sent in another revision of a patch to implement SQL/JSON

Peter Eisentraut sent in another revision of a patch to add an
ssl_passphrase_command setting, which enables specifying an external command for
prompting for or otherwise obtaining passphrases for SSL key files.

Chapman Flack sent in a patch to add a regression test to numeric.sql that bits
aren't lost casting from float[48] to numeric and updates float4_numeric and
float8_numeric in a way that makes the test pass.

Takayuki Tsunakawa sent in two more revisions of a patch to fix a bug where
pg_rewind takes a long time because it mistakenly copies data files.

Thomas Munro sent in another revision of a patch to enable parallel query with
SERIALIZABLE isolation and enable the read-only SERIALIZABLE optimization for
parallel query.

Nikita Glukhov sent in another revision of a patch to implement JSONPATH.

Claudio Freire sent in five more revisions of a patch to update the FSM more
frequently during VACUUM.

Stephen Frost sent in a patch to rewrite the pg_dump TAP tests.

Jeevan Chalke and Rafia Sabih traded patches to implement partition-wise

Amit Langote and Robert Haas traded patches to prune partitions faster.

Atsushi Torikoshi sent in a patch to fix a typo in walsender.c.

Etsuro Fujita sent in another revision of a patch to support tuple routing to
foreign partitions.

David Steele sent in two more revisions of a patch to exclude unlogged tables
from base backups.

Victor Wagner sent in two revisions of a patch to fix make variable processing
in Mkvcbuild.pm.

Andrew Dunstan sent in two more revisions of a patch to speed up ALTER TABLE ...

Pavan Deolasee sent in another revision of a patch to implement MERGE.

Amit Langote and David Rowley traded patches to prune partitions at runtime.

David Steele sent in another revision of a patch to make it possible to allow
group filesystem access.

Nikita Glukhov sent in a patch to implement opclass parameters.

Alexander Korotkov sent in a patch to add a GUC for "cleanup indexes" threshold.

Ivan Kartyshov sent in another revision of a patch to fix some issues that crop
up in long transactions on hot standby feedback replica.

Nikita Zhuchkov sent in a patch to create direct casts from numeric types to

Antonin Houska sent in another revision of a patch to implement aggregate

Peter Eisentraut sent in another revision of a patch to handle heap rewrites
even better in logical decoding.

Peter Eisentraut sent in a patch to PL/pgSQL: to enable nested CALL with

Peter Eisentraut sent in a patch to support SET TRANSACTION to PL/pgsql.

Peter Eisentraut sent in a patch to support INOUT parameters in procedures in

Tom Lane sent in a patch to fix an issue where VPATH build from a tarball fails
with some gmake versions.

Amit Langote sent in a patch to fix an issue where inserts into partitioned
table may cause a crash.

Anastasia Lubennikova and Nikita Glukhov traded patches to add casts from JSONB
to numeric and boolean types.

Anastasia Lubennikova sent in a patch to reduce amount of WAL generated by

Michael Banck sent in a patch to enable sending parallel dump to /dev/null.

Nikhil Sontakke sent in another revision of a patch to decode two-phase

David Steele sent in a patch to add re-initialization tests for unlogged tables.

Shubham Barai sent in another revision of a patch to implement predicate locking
in GIN indexes.

Nikita Glukhov sent in another revision of a patch to support kNN for SP-GiST.

Masahiko Sawada sent in a patch to change the autovacuum launcher scheduling
to an "oldest table first" algorithm.

Amit Langote and Álvaro Herrera traded patches to implement ON CONFLICT DO
UPDATE for partitioned tables.

Robert Haas sent in another revision of a patch to speed up processing at Gather

Etsuro Fujita sent in another revision of a patch to fix an oddity in handling
of WCO constraints in postgres_fdw.

Magnus Hagander and Daniel Gustafsson traded patches to enable online enabling
of checksums.

Anastasia Lubennikova sent in a patch to add a function to track shmem reinit

Tomas Vondra sent in two revisions of a patch to fix an issue where user-defined
numeric data types were triggering ERROR: unsupported type.

Michael Banck sent in a patch to verify checksums during basebackups.

Euler Taveira de Oliveira sent in a patch to remove unused #includes from

Peter Eisentraut sent in a patch to enable faster testing using symlinks.

Peter Eisentraut sent in a patch to fix more format truncation issues.

Takayuki Tsunakawa sent in another revision of a patch to produce a crash dump
before main() on Windows.

Takayuki Tsunakawa sent in a patch to fix a bug where pg_rewind creates corrupt
WAL files, making it so that the standby cannot catch up to the primary.

Amit Langote sent in a patch to avoid RelabelType in some cases in

Arseny Sher sent in a patch to use a single snapshot for replay.

Alexander Korotkov sent in another revision of a patch to implement incremental

Laurenz Albe sent in a patch to fix a bug where SHOW ALL does not honor
pg_read_all_settings membership.

Peter Eisentraut sent in a patch to make CALL optional in PL/pgsql.

Daniel Vérité sent in another revision of a patch to implement a CSV output
format for psql.

Nikita Glukhov sent in another revision of a patch to add an enum reloption

Fabien COELHO sent in another revision of a patch to add \if to pgbench.

Curt Tilmes sent in two more revisions of a patch to find additional connection
service files in the pg_service.conf.d directory.

Euler Taveira de Oliveira sent in a patch to enable row filtering in logical

Peter Eisentraut sent in a patch to help manage transaction isolation in
procedures by implementing the SQL standard "chained transactions" feature.

Thomas Munro sent in another revision of a patch to implement synchronous

David Rowley sent in three more revisions of a patch to make it possible to
parallelize string_agg and array_agg.

Masahiko Sawada sent in another revision of a patch to report autovac_workitem
request failure.

David Rowley sent in a patch to fix an issue where pg_dump outputs invalid
syntax for partitions with bool partkeys.

Thomas Munro sent in another revision of a patch to fix costing of parallel hash

Emre Hasegeli sent in another revision of a patch to improve geometric types'
use of floating point types.

Alexander Kuzmenkov sent in another revision of a patch to implement full merge
join on comparison clause.

Andrey Borodin sent in another revision of a patch to fix GiST stats for partial

Etsuro Fujita sent in another revision of a patch to fix a too-sensitive
regression test for the PostgreSQL FDW.

Amit Kapila sent in a patch to increase the MAX_PAGE_TRANS_INFO_SLOTS constant
in anticipation of zHeap.

Magnus Hagander and Tom Lane traded patches to fix some Perl code in the code
base per perltidy.

Pavel Stěhule and Tomas Vondra traded patches to add additional extra checks for

David Rowley sent in another revision of a patch to add a STATISTICS option to

Noriyoshi Shinoda sent in a patch to update the documentation for logical
replication security.

Tomas Vondra sent in two more revisions of a patch to add a logical_work_mem to
deal with logical streaming of large in-progress transactions.

Tomas Vondra sent in another revision of a patch to implement multivariate
histograms and MCV lists.

Andres Freund sent in another revision of a patch to add parenthesized options
syntax for ANALYZE and add a NOWAIT option to VACUUM and ANALYZE.

Tomas Vondra sent in another revision of a patch to implement BRIN multi-range

David Rowley sent in another revision of a patch to remove useless DISTINCT

Tomas Vondra sent in another revision of a patch to add support for uuid, bool,
name, bpchar and anyrange types to btree_gin.

Thomas Munro sent in a patch to fix a select_parallel test failure where gather
sometimes loses tuples.

David Rowley sent in another revision of a patch to disallow LEFT JOIN removal
when join or base quals have volatile functions and allow LEFT JOINs to be
removed in more cases.

Tom Lane sent in a patch to create an infrastructure for version-dependent tab
completion in psql.

Browse pgsql-announce by date

  From Date Subject
Next Message Mahadevan Ramachandran 2018-03-06 08:13:00 Announcing pgmetrics
Previous Message Christoph Berg 2018-03-01 17:07:39 Re: Fwd: pgAdmin4 2.1 on apt.postgresql.org