2015-02-05 This release contains a variety of fixes from 9.1.14. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.14, see . Fix buffer overruns in to_char() (Bruce Momjian) When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241) Fix buffer overrun in replacement *printf() functions (Tom Lane) PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch) Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas) If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244) Fix information leak via constraint-violation error messages (Stephen Frost) Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161) Lock down regression testing's temporary installations on Windows (Noah Misch) Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067) Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier) If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be. Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund) Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane) This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required. Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane) In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug. Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi) In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition. Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane) In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table. Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley) This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors. Fix bugs in raising a numeric value to a large integral power (Tom Lane) The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow. In numeric_recv(), truncate away any fractional digits that would be hidden according to the value's dscale field (Tom Lane) A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such hidden digits on receipt, so that the value is indeed what it prints as. Reject out-of-range numeric timezone specifications (Tom Lane) Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them. Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas) Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms. Improve ispell dictionary's defenses against bad affix files (Tom Lane) Allow more than 64K phrases in a thesaurus dictionary (David Boutin) The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition. Fix namespace handling in xpath() (Ali Akbar) Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation. Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Álvaro Herrera) The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity. Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane) Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work. During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund) This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery. Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas) This mistake could result in transient errors in queries being executed in hot standby. Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas) The most notable oversight was that recovery_min_apply_delay failed to delay application of a two-phase commit. Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao) Change pgstat wait timeout warning message to be LOG level, and rephrase it to be more understandable (Tom Lane) This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads using stale statistics instead of current ones because stats collector is not responding. Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund) Warn if OS X's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch) Fix processing of repeated dbname parameters in PQconnectdbParams() (Alex Shulgin) Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded. Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane) Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket. Clear any old error message during PQreset() (Heikki Linnakangas) If PQreset() is called repeatedly, and the connection cannot be re-established, error messages from the failed connection attempts kept accumulating in the PGconn's error string. Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas) Fix array overrun in ecpg's version of ParseDateTime() (Michael Paquier) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane) When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate. This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved. Improve consistency of parsing of psql's special variables (Tom Lane) Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors. Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia) Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane) Fix block number checking in contrib/pageinspect's get_raw_page() (Tom Lane) The incorrect checking logic could prevent access to some pages in non-main relation forks. Fix contrib/pgcrypto's pgp_sym_decrypt() to not fail on messages whose length is 6 less than a power of 2 (Marko Tiikkaja) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes) This could cause failure to remove temporary files on Windows. Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier) connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further. Avoid a possible crash in contrib/xml2's xslt_process() (Mark Simonetti) libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash. Mark some contrib I/O functions with correct volatility properties (Tom Lane) The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers. Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier) These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues. Detect incompatible OpenLDAP versions during build (Noah Misch) With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test. In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane) This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations. Support time zone abbreviations that change UTC offset from time to time (Tom Lane) Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date. Update time zone abbreviations lists (Tom Lane) Add CST (China Standard Time) to our lists. Remove references to ADT as Arabia Daylight Time, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with Atlantic Daylight Time doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line. Update time zone data files to tzdata release 2015a. The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our Default timezone abbreviation set. The Australia abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the Default abbreviation set. Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data. 2014-07-24 This release contains a variety of fixes from 9.1.13. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, this release corrects an index corruption problem in some GiST indexes. See the first changelog entry below to find out whether your installation has been affected and what steps you should take if so. Also, if you are upgrading from a version earlier than 9.1.11, see . Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas) This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages (Heikki Linnakangas) This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk. Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas) This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby. Fix feedback status when is turned off on-the-fly (Simon Riggs) Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund) Fix could not find pathkey item to sort planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley) This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Fix failure to detoast fields in composite elements of structured types (Tom Lane) This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like missing chunk number 0 for toast value ... when the now-dangling pointer is used. Fix record type has not been registered failures with whole-row references to the output of Append plan nodes (Tom Lane) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark) Fix data encoding error in hungarian.stop (Tom Lane) Prevent foreign tables from being created with OIDS when is true (Etsuro Fujita) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund) This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund) After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time. Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera) Block signals during postmaster startup (Tom Lane) This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane) Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed. Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections. A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary. Fix tablespace creation WAL replay to work on Windows (MauMau) Fix detection of socket creation failures on Windows (Bruce Momjian) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as ) from the configuration file (Amit Kapila) Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows (Nikhil Deshpande) This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Fix linking of libpython on OS X (Tom Lane) The method we previously used can fail with the Python library supplied by Xcode 5.0 and later. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane) libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as lost synchronization with server). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints. Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat) Fix pg_restore's processing of old-style large object comments (Tom Lane) A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane) This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that. Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco. 2014-03-20 This release contains a variety of fixes from 9.1.12. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.11, see . Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas) Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector. Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja) This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient. Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane) This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time. Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski) This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it. Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed) This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables. Improve performance of index endpoint probes during planning (Tom Lane) This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers. Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas) Prevent interrupts while reporting non-ERROR messages (Tom Lane) This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems. Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker) Prevent intermittent could not reserve shared memory region failures on recent Windows versions (MauMau) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine. 2014-02-20 This release contains a variety of fixes from 9.1.11. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.11, see . Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane) The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant bloat of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master. Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas) In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as PANIC: WAL contains references to invalid pages were also possible. Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane) This error could result in PANIC: WAL contains references to invalid pages failures. Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas) The previous coding risked index corruption in the event of a partial-page write during a system crash. When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas) Fix race conditions during server process exit (Robert Haas) Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid. Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane) Fix unsafe references to errno within error reporting logic (Christian Kruse) This would typically lead to odd behaviors such as missing or inappropriate HINT fields. Fix possible crashes from using ereport() too early during server startup (Tom Lane) The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read. Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin) This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection. Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane) A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping. Allow keywords that are type names to be used in lists of roles (Stephen Frost) A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE. Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane) Ensure that ANALYZE creates statistics for a table column even when all the values in it are too wide (Tom Lane) ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide. In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost) CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo. Fix cannot accept a set error when some arms of a CASE return a set and others don't (Tom Lane) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane) Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well. Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas) Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky. Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander) The previous coding might attempt to do catalog access when it shouldn't. Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii) Fix misbehavior of PQhost() on Windows (Fujii Masao) It should return localhost if no host has been specified. Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane) In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications. Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander) Fix misaligned descriptors in ecpg (MauMau) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes) Fix performance regression in contrib/dblink connection startup (Joe Conway) Avoid an unnecessary round trip when client and server encodings match. In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho) Ensure client-code-only installation procedure works as documented (Peter Eisentraut) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan) This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL. Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane) These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that. Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba. In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice. 2013-12-05 This release contains a variety of fixes from 9.1.10. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, this release corrects a number of potential data corruption issues. See the first two changelog entries below to find out whether your installation has been affected and what steps you can take if so. Also, if you are upgrading from a version earlier than 9.1.9, see . Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund) In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas) This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. Truncate pg_multixact contents during WAL replay (Andres Freund) This avoids ever-increasing disk space consumption in standby servers. Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas) This could lead to transient wrong answers or query failures. Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane) This avoids unexpected results due to extra evaluations of the volatile function. Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane) This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax. Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane) The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable. Fix premature deletion of temporary files (Andres Freund) Fix possible read past end of memory in rule printing (Peter Eisentraut) Fix array slicing of int2vector and oidvector values (Tom Lane) Expressions of this kind are now implicitly promoted to regular int2 or oid arrays. Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane) In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone. Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane) This fix applies only to Windows. Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner) Previously, the generated script would fail during restore. Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia. 2013-10-10 This release contains a variety of fixes from 9.1.9. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.9, see . Prevent corruption of multi-byte characters when attempting to case-fold identifiers (Andrew Dunstan) PostgreSQL case-folds non-ASCII characters only when using a single-byte server encoding. Fix checkpoint memory leak in background writer when wal_level = hot_standby (Naoya Anzai) Fix memory leak caused by lo_open() failure (Heikki Linnakangas) Fix memory overcommit bug when work_mem is using more than 24GB of memory (Stephen Frost) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas) Fix deadlock bug in libpq when using SSL (Stephen Frost) Fix possible SSL state corruption in threaded libpq applications (Nick Phillips, Stephen Frost) Properly compute row estimates for boolean columns containing many NULL values (Andrew Gierth) Previously tests like col IS NOT TRUE and col IS NOT FALSE did not properly factor in NULL values when estimating plan costs. Prevent pushing down WHERE clauses into unsafe UNION/INTERSECT subqueries (Tom Lane) Subqueries of a UNION or INTERSECT that contain set-returning functions or volatile functions in their SELECT lists could be improperly optimized, leading to run-time errors or incorrect query results. Fix rare case of failed to locate grouping columns planner failure (Tom Lane) Fix pg_dump of foreign tables with dropped columns (Andrew Dunstan) Previously such cases could cause a pg_upgrade error. Reorder pg_dump processing of extension-related rules and event triggers (Joe Conway) Force dumping of extension tables if specified by pg_dump -t or -n (Joe Conway) Improve view dumping code's handling of dropped columns in referenced tables (Tom Lane) Fix pg_restore -l with the directory archive to display the correct format name (Fujii Masao) Properly record index comments created using UNIQUE and PRIMARY KEY syntax (Andres Freund) This fixes a parallel pg_restore failure. Properly guarantee transmission of WAL files before clean switchover (Fujii Masao) Previously, the streaming replication connection might close before all WAL files had been replayed on the standby. Fix WAL segment timeline handling during recovery (Mitsumasa Kondo, Heikki Linnakangas) WAL file recycling during standby recovery could lead to premature recovery completion, resulting in data loss. Fix REINDEX TABLE and REINDEX DATABASE to properly revalidate constraints and mark invalidated indexes as valid (Noah Misch) REINDEX INDEX has always worked properly. Fix possible deadlock during concurrent CREATE INDEX CONCURRENTLY operations (Tom Lane) Fix regexp_matches() handling of zero-length matches (Jeevan Chalke) Previously, zero-length matches like '^' could return too many matches. Fix crash for overly-complex regular expressions (Heikki Linnakangas) Fix regular expression match failures for back references combined with non-greedy quantifiers (Jeevan Chalke) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane) Allow ALTER DEFAULT PRIVILEGES to operate on schemas without requiring CREATE permission (Tom Lane) Loosen restriction on keywords used in queries (Tom Lane) Specifically, lessen keyword restrictions for role names, language names, EXPLAIN and COPY options, and SET values. This allows COPY ... (FORMAT BINARY) to work as expected; previously BINARY needed to be quoted. Fix pgp_pub_decrypt() so it works for secret keys with passwords (Marko Kreen) Make pg_upgrade use pg_dump --quote-all-identifiers to avoid problems with keyword changes between releases (Tom Lane) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas) Ensure that VACUUM ANALYZE still runs the ANALYZE phase if its attempt to truncate the file is cancelled due to lock conflicts (Kevin Grittner) Avoid possible failure when performing transaction control commands (e.g ROLLBACK) in prepared queries (Tom Lane) Ensure that floating-point data input accepts standard spellings of infinity on all platforms (Tom Lane) The C99 standard says that allowable spellings are inf, +inf, -inf, infinity, +infinity, and -infinity. Make sure we recognize these even if the platform's strtod function doesn't. Expand ability to compare rows to records and arrays (Rafal Rzepecki, Tom Lane) Update time zone data files to tzdata release 2013d for DST law changes in Israel, Morocco, Palestine, and Paraguay. Also, historical zone data corrections for Macquarie Island. 2013-04-04 This release contains a variety of fixes from 9.1.8. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, this release corrects several errors in management of GiST indexes. After installing this update, it is advisable to REINDEX any GiST indexes that meet one or more of the conditions described below. Also, if you are upgrading from a version earlier than 9.1.6, see . Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi) A connection request containing a database name that begins with - could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. (CVE-2013-1899) Reset OpenSSL randomness state in each postmaster child process (Marko Kreen) This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900) Make REPLICATION privilege checks test current user not authenticated user (Noah Misch) An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. (CVE-2013-1901) Fix GiST indexes to not use fuzzy geometric comparisons when it's not appropriate to do so (Alexander Korotkov) The core geometric types perform comparisons using fuzzy equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same. Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update. Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane) These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update. Fix gist_point_consistent to handle fuzziness consistently (Alexander Korotkov) Index scans on GiST indexes on point columns would sometimes yield results different from a sequential scan, because gist_point_consistent disagreed with the underlying operator code about whether to do comparisons exactly or fuzzily. Fix buffer leak in WAL replay (Heikki Linnakangas) This bug could result in incorrect local pin count errors during replay, making recovery impossible. Fix race condition in DELETE RETURNING (Tom Lane) Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash. Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter) Fix potential null-pointer dereference in regular expression compilation (Tom Lane) Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane) This fixes misbehavior of some template patterns that should be locale-independent, but mishandled I and i in Turkish locales. Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane) Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane) The session wound up not listening for notify events at all, though it surely should listen in this case. Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane) Remove useless picksplit doesn't support secondary split log messages (Josh Hansen, Tom Lane) This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it. Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane) Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane) Fix pg_dumpall to handle database names containing = correctly (Heikki Linnakangas) Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas) Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian) Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing. In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas) Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas) Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane) Previously it returned NaN due to internal division by zero. Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places. Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list. 2013-02-07 This release contains a variety of fixes from 9.1.7. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.6, see . Prevent execution of enum_recv from SQL (Tom Lane) The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory. Our thanks to Sumit Soni (via Secunia SVCRP) for reporting this issue. (CVE-2013-0255) Fix multiple problems in detection of when a consistent database state has been reached during WAL replay (Fujii Masao, Heikki Linnakangas, Simon Riggs, Andres Freund) Update minimum recovery point when truncating a relation file (Heikki Linnakangas) Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline. Fix recycling of WAL segments after changing recovery target timeline (Heikki Linnakangas) Fix missing cancellations in hot standby mode (Noah Misch, Simon Riggs) The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data. Prevent recovery pause feature from pausing before users can connect (Tom Lane) Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result (Tom Lane) Fix performance problems with autovacuum truncation in busy workloads (Jan Wieck) Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives. Protect against race conditions when scanning pg_tablespace (Stephen Frost, Tom Lane) CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries. Prevent DROP OWNED from trying to drop whole databases or tablespaces (Álvaro Herrera) For safety, ownership of these objects must be reassigned, not dropped. Fix error in vacuum_freeze_table_age implementation (Andres Freund) In installations that have existed for more than vacuum_freeze_min_age transactions, this mistake prevented autovacuum from using partial-table scans, so that a full-table scan would always happen instead. Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice (Andres Freund, Tom Lane) This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES. Improve defenses against integer overflow in hashtable sizing calculations (Jeff Davis) Fix failure to ignore leftover temporary tables after a server crash (Tom Lane) Reject out-of-range dates in to_date() (Hitoshi Harada) Fix pg_extension_config_dump() to handle extension-update cases properly (Tom Lane) This function will now replace any existing entry for the target table, making it usable in extension update scripts. Fix PL/Python's handling of functions used as triggers on multiple tables (Andres Freund) Ensure that non-ASCII prompt strings are translated to the correct code page on Windows (Alexander Law, Noah Misch) This bug affected psql and some other client programs. Fix possible crash in psql's \? command when not connected to a database (Meng Qingzhong) Fix possible error if a relation file is removed while pg_basebackup is running (Heikki Linnakangas) Make pg_dump exclude data of unlogged tables when running on a hot-standby server (Magnus Hagander) This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically. Fix pg_upgrade to deal with invalid indexes safely (Bruce Momjian) Fix one-byte buffer overrun in libpq's PQprintTuples (Xi Wang) This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code. Make ecpglib use translated messages properly (Chen Huajun) Properly install ecpg_compat and pgtypes libraries on MSVC (Jiang Guiqing) Include our version of isinf() in libecpg if it's not provided by the system (Jiang Guiqing) Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline (Christoph Berg) Ensure Windows build number increases over time (Magnus Hagander) Make pgxs build executables with the right .exe suffix when cross-compiling for Windows (Zoltan Boszormenyi) Add new timezone abbreviation FET (Tom Lane) This is now used in some eastern-European time zones. 2012-12-06 This release contains a variety of fixes from 9.1.6. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.6, see . Fix multiple bugs associated with CREATE INDEX CONCURRENTLY (Andres Freund, Tom Lane) Fix CREATE INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus resulting in corrupt concurrently-created indexes. Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index. Fix buffer locking during WAL replay (Tom Lane) The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures. Fix an error in WAL generation logic for GIN indexes (Tom Lane) This could result in index corruption, if a torn-page failure occurred. Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running (Simon Riggs) This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY. Avoid bogus out-of-sequence timeline ID errors in standby mode (Heikki Linnakangas) Prevent the postmaster from launching new child processes after it's received a shutdown signal (Tom Lane) This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action. Avoid corruption of internal hash tables when out of memory (Hitoshi Harada) Prevent file descriptors for dropped tables from being held open past transaction end (Tom Lane) This should reduce problems with long-since-dropped tables continuing to occupy disk space. Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch (Tom Lane) Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors. Fix planning of non-strict equivalence clauses above outer joins (Tom Lane) The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. Fix SELECT DISTINCT with index-optimized MIN/MAX on an inheritance tree (Tom Lane) The planner would fail with failed to re-find MinMaxAggInfo record given this combination of factors. Improve planner's ability to prove exclusion constraints from equivalence classes (Tom Lane) Fix partial-row matching in hashed subplans to handle cross-type cases correctly (Tom Lane) This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved. Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger (Andres Freund) In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger. Fix ALTER COLUMN TYPE to handle inherited check constraints properly (Pavan Deolasee) This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later. Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema (Álvaro Herrera, Dimitri Fontaine) Fix REASSIGN OWNED to handle grants on tablespaces (Álvaro Herrera) Ignore incorrect pg_attribute entries for system columns for views (Tom Lane) Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views. Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly (Tom Lane) Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query (Tom Lane) Prevent platform-dependent failures when dividing the minimum possible integer value by -1 (Xi Wang, Tom Lane) Fix possible access past end of string in date parsing (Hitoshi Harada) Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby (Tom Lane, Andres Freund) While this mistake had no particular impact on PostgreSQL itself, it was bad for applications that rely on txid_current() and related functions: the TXID value would appear to go backwards. Fix display of pg_stat_replication.sync_state at a page boundary (Kyotaro Horiguchi) Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit (Tom Lane, Andrew Dunstan) Formerly, this would result in something quite unhelpful, such as Non-recoverable failure in name resolution. Fix memory leaks when sending composite column values to the client (Tom Lane) Make pg_ctl more robust about reading the postmaster.pid file (Heikki Linnakangas) Fix race conditions and possible file descriptor leakage. Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS (Jiang Guiqing) Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive (Tom Lane) This change fixes dumping of sequences that are marked as extension configuration tables. Fix bugs in the restore.sql script emitted by pg_dump in tar output format (Tom Lane) The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode. Fix pg_restore to accept POSIX-conformant tar files (Brian Weaver, Tom Lane) The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out. Fix tar files emitted by pg_basebackup to be POSIX conformant (Brian Weaver, Tom Lane) Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory (Tom Lane) This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory. Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly (Tom Lane) Fix ecpg's processing of nested structure pointer variables (Muhammad Usama) Fix ecpg's ecpg_get_data function to handle arrays properly (Michael Meskes) Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages (Tom Lane) Ensure that make install for an extension creates the extension installation directory (Cédric Villemain) Previously, this step was missed if MODULEDIR was set in the extension's Makefile. Fix pgxs support for building loadable modules on AIX (Tom Lane) Building modules outside the original source tree didn't work on AIX. Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil. 2012-09-24 This release contains a variety of fixes from 9.1.5. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, you may need to perform REINDEX operations to recover from the effects of the data corruption bug described in the first changelog item below. Also, if you are upgrading from a version earlier than 9.1.4, see . Fix persistence marking of shared buffers during WAL replay (Jeff Davis) This mistake can result in buffers not being written out during checkpoints, resulting in data corruption if the server later crashes without ever having written those buffers. Corruption can occur on any server following crash recovery, but it is significantly more likely to occur on standby slave servers since those perform much more WAL replay. There is a low probability of corruption of btree and GIN indexes. There is a much higher probability of corruption of table visibility maps. Fortunately, visibility maps are non-critical data in 9.1, so the worst consequence of such corruption in 9.1 installations is transient inefficiency of vacuuming. Table data proper cannot be corrupted by this bug. While no index corruption due to this bug is known to have occurred in the field, as a precautionary measure it is recommended that production installations REINDEX all btree and GIN indexes at a convenient time after upgrading to 9.1.6. Also, if you intend to do an in-place upgrade to 9.2.X, before doing so it is recommended to perform a VACUUM of all tables while having vacuum_freeze_table_age set to zero. This will ensure that any lingering wrong data in the visibility maps is corrected before 9.2.X can depend on it. vacuum_cost_delay can be adjusted to reduce the performance impact of vacuuming, while causing it to take longer to finish. Fix planner's assignment of executor parameters, and fix executor's rescan logic for CTE plan nodes (Tom Lane) These errors could result in wrong answers from queries that scan the same WITH subquery multiple times. Fix misbehavior when default_transaction_isolation is set to serializable (Kevin Grittner, Tom Lane, Heikki Linnakangas) Symptoms include crashes at process start on Windows, and crashes in hot standby operation. Improve selectivity estimation for text search queries involving prefixes, i.e. word:* patterns (Tom Lane) Improve page-splitting decisions in GiST indexes (Alexander Korotkov, Robert Haas, Tom Lane) Multi-column GiST indexes might suffer unexpected bloat due to this error. Fix cascading privilege revoke to stop if privileges are still held (Tom Lane) If we revoke a grant option from some role X, but X still holds that option via a grant from someone else, we should not recursively revoke the corresponding privilege from role(s) Y that X had granted it to. Disallow extensions from containing the schema they are assigned to (Thom Brown) This situation creates circular dependencies that confuse pg_dump and probably other things. It's confusing for humans too, so disallow it. Improve error messages for Hot Standby misconfiguration errors (Gurjeet Singh) Make configure probe for mbstowcs_l (Tom Lane) This fixes build failures on some versions of AIX. Fix handling of SIGFPE when PL/Perl is in use (Andres Freund) Perl resets the process's SIGFPE handler to SIG_IGN, which could result in crashes later on. Restore the normal Postgres signal handler after initializing PL/Perl. Prevent PL/Perl from crashing if a recursive PL/Perl function is redefined while being executed (Tom Lane) Work around possible misoptimization in PL/Perl (Tom Lane) Some Linux distributions contain an incorrect version of pthread.h that results in incorrect compiled code in PL/Perl, leading to crashes if a PL/Perl function calls another one that throws an error. Fix bugs in contrib/pg_trgm's LIKE pattern analysis code (Fujii Masao) LIKE queries using a trigram index could produce wrong results if the pattern contained LIKE escape characters. Fix pg_upgrade's handling of line endings on Windows (Andrew Dunstan) Previously, pg_upgrade might add or remove carriage returns in places such as function bodies. On Windows, make pg_upgrade use backslash path separators in the scripts it emits (Andrew Dunstan) Remove unnecessary dependency on pg_config from pg_upgrade (Peter Eisentraut) Update time zone data files to tzdata release 2012f for DST law changes in Fiji 2012-08-17 This release contains a variety of fixes from 9.1.4. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.4, see . Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane) xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489) Prevent access to external files/URLs via contrib/xml2's xslt_process() (Peter Eisentraut) libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented feature, it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. Prevent too-early recycling of btree index pages (Noah Misch) When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed. Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane) If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step. Fix race condition in enum-type value comparisons (Robert Haas, Tom Lane) Comparisons could fail when encountering an enum value added since the current query started. Fix txid_current() to report the correct epoch when not in hot standby (Heikki Linnakangas) This fixes a regression introduced in the previous minor release. Prevent selection of unsuitable replication connections as the synchronous standby (Fujii Masao) The master might improperly choose pseudo-servers such as pg_receivexlog or pg_basebackup as the synchronous standby, and then wait indefinitely for them. Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund) This mistake led to failures reported as out-of-order XID insertion in KnownAssignedXids. Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr) Fix timeout handling in walsender processes (Tom Lane) WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen. Wake walsenders after each background flush by walwriter (Andres Freund, Simon Riggs) This greatly reduces replication delay when the workload contains only asynchronously-committed transactions. Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane) After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like Could not read from file "pg_notify/nnnn" at offset nnnnn: Success. Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane) The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period. Improve logging of autovacuum cancels (Robert Haas) Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane) Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane) Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane) Fix dependencies generated during ALTER TABLE ... ADD CONSTRAINT USING INDEX (Tom Lane) This command left behind a redundant pg_depend entry for the index, which could confuse later operations, notably ALTER TABLE ... ALTER COLUMN TYPE on one of the indexed columns. Fix REASSIGN OWNED to work on extensions (Alvaro Herrera) Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane) This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch. Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane) Fix planner to pass correct collation to operator selectivity estimators (Tom Lane) This was not previously required by any core selectivity estimation function, but third-party code might need it. Fix extraction of common prefixes from regular expressions (Tom Lane) The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns. Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane) Fix pg_dump to better handle views containing partial GROUP BY lists (Tom Lane) A view that lists only a primary key column in GROUP BY, but uses other table columns as if they were grouped, gets marked as depending on the primary key. Improper handling of such primary key dependencies in pg_dump resulted in poorly-ordered dumps, which at best would be inefficient to restore and at worst could result in outright failure of a parallel pg_restore run. In PL/Perl, avoid setting UTF8 flag when in SQL_ASCII encoding (Alex Hunsaker, Kyotaro Horiguchi, Alvaro Herrera) Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski) This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error. Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski) Report errors properly in contrib/xml2's xslt_process() (Tom Lane) Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau 2012-06-04 This release contains a variety of fixes from 9.1.3. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you use the citext data type, and you upgraded from a previous major release by running pg_upgrade, you should run CREATE EXTENSION citext FROM unpackaged to avoid collation-related failures in citext operations. The same is necessary if you restore a dump from a pre-9.1 database that contains an instance of the citext data type. If you've already run the CREATE EXTENSION command before upgrading to 9.1.4, you will instead need to do manual catalog updates as explained in the third changelog item below. Also, if you are upgrading from a version earlier than 9.1.2, see . Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer) If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143) Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler (Tom Lane) Applying such attributes to a call handler could crash the server. (CVE-2012-2655) Make contrib/citext's upgrade script fix collations of citext arrays and domains over citext (Tom Lane) Release 9.1.2 provided a fix for collations of citext columns and indexes in databases upgraded or reloaded from pre-9.1 installations, but that fix was incomplete: it neglected to handle arrays and domains over citext. This release extends the module's upgrade script to handle these cases. As before, if you have already run the upgrade script, you'll need to run the collation update commands by hand instead. See the 9.1.2 release notes for more information about doing this. Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC (Tom Lane) Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload. Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone (Tom Lane) This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions. Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings (Karl Schnaitter) Fix memory copying bug in to_tsquery() (Heikki Linnakangas) Ensure txid_current() reports the correct epoch when executed in hot standby (Simon Riggs) Fix planner's handling of outer PlaceHolderVars within subqueries (Tom Lane) This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with ERROR: Upper-level PlaceHolderVar found where not expected. But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should. Fix planning of UNION ALL subqueries with output columns that are not simple variables (Tom Lane) Planning of such cases got noticeably worse in 9.1 as a result of a misguided fix for MergeAppend child's targetlist doesn't match MergeAppend errors. Revert that fix and do it another way. Fix slow session startup when pg_attribute is very large (Tom Lane) If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once. Ensure sequential scans check for query cancel reasonably often (Merlin Moncure) A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile. Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning (Tom Lane) This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences. Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane) Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast. Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding (Tom Lane) A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4. Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses (Tom Lane) Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks (Tom Lane) Historically, PREPARE TRANSACTION has simply ignored any session-level advisory locks the session holds, but this case was accidentally broken in 9.1. Fix truncation of unlogged tables (Robert Haas) Ignore missing schemas during non-interactive assignments of search_path (Tom Lane) This re-aligns 9.1's behavior with that of older branches. Previously 9.1 would throw an error for nonexistent schemas mentioned in search_path settings obtained from places such as ALTER DATABASE SET. Fix bugs with temporary or transient tables used in extension scripts (Tom Lane) This includes cases such as a rewriting ALTER TABLE within an extension update script, since that uses a transient table behind the scenes. Ensure autovacuum worker processes perform stack depth checking properly (Heikki Linnakangas) Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes. Fix logging collector to not lose log coherency under high load (Andrew Dunstan) The collector previously could fail to reassemble large messages if it got too busy. Fix logging collector to ensure it will restart file rotation after receiving SIGHUP (Tom Lane) Fix too many LWLocks taken failure in GiST indexes (Heikki Linnakangas) Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped (Tom Lane) Correctly detect SSI conflicts of prepared transactions after a crash (Dan Ports) Avoid synchronous replication delay when committing a transaction that only modified temporary tables (Heikki Linnakangas) In such a case the transaction's commit record need not be flushed to standby servers, but some of the code didn't know that and waited for it to happen anyway. Fix error handling in pg_basebackup (Thomas Ogrisegg, Fujii Masao) Fix walsender to not go into a busy loop if connection is terminated (Fujii Masao) Fix memory leak in PL/pgSQL's RETURN NEXT command (Joe Conway) Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable (Tom Lane) Ensure that PL/Perl package-qualifies the _TD variable (Alex Hunsaker) This bug caused trigger invocations to fail when they are nested within a function invocation that changes the current package. Fix PL/Python functions returning composite types to accept a string for their result value (Jan Urbanski) This case was accidentally broken by the 9.1 additions to allow a composite result value to be supplied in other formats, such as dictionaries. Fix potential access off the end of memory in psql's expanded display (\x) mode (Peter Eisentraut) Fix several performance problems in pg_dump when the database contains many objects (Jeff Janes, Tom Lane) pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences. Fix memory and file descriptor leaks in pg_restore when reading a directory-format archive (Peter Eisentraut) Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace (Bruce Momjian) In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure (Peter Eisentraut) Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error (Tom Lane) Fix contrib/dblink to report the correct connection name in error messages (Kyotaro Horiguchi) Fix contrib/vacuumlo to use multiple transactions when dropping many large objects (Tim Lewis, Robert Haas, Tom Lane) This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option. Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada. 2012-02-27 This release contains a variety of fixes from 9.1.2. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, if you are upgrading from a version earlier than 9.1.2, see . Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas) This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) Remove arbitrary limitation on length of common name in SSL certificates (Heikki Linnakangas) Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867) Convert newlines to spaces in names written in pg_dump comments (Robert Haas) pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868) Fix btree index corruption from insertions concurrent with vacuuming (Tom Lane) An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as could not read block N in file ...) or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things. Fix transient zeroing of shared buffers during WAL replay (Tom Lane) The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be invalid memory alloc request size. Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking (Tom Lane) A WITH clause containing INSERT/UPDATE/DELETE would crash if the parent UPDATE or DELETE command needed to be re-evaluated at one or more rows due to concurrent updates in READ COMMITTED mode. Fix corner case in SSI transaction cleanup (Dan Ports) When finishing up a read-write serializable transaction, a crash could occur if all remaining active serializable transactions are read-only. Fix postmaster to attempt restart after a hot-standby crash (Tom Lane) A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode. Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows (Tom Lane) This oversight could lead to duplicate key value violates unique constraint errors being reported against the toast table's index during one of these commands. Update per-column permissions, not only per-table permissions, when changing table owner (Tom Lane) Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions. Support foreign data wrappers and foreign servers in REASSIGN OWNED (Alvaro Herrera) This command failed with unexpected classid errors if it needed to change the ownership of any such objects. Allow non-existent values for some settings in ALTER USER/DATABASE SET (Heikki Linnakangas) Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one. Fix unsupported node type error caused by COLLATE in an INSERT expression (Tom Lane) Avoid crashing when we have problems deleting table files post-commit (Tom Lane) Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database. Recover from errors occurring during WAL replay of DROP TABLESPACE (Tom Lane) Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space. Fix race condition in logging AccessExclusiveLocks for hot standby (Simon Riggs) Sometimes a lock would be logged as being held by transaction zero. This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems. Track the OID counter correctly during WAL replay, even when it wraps around (Tom Lane) Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed. Prevent emitting misleading consistent recovery state reached log message at the beginning of crash recovery (Heikki Linnakangas) Fix initial value of pg_stat_replication.replay_location (Fujii Masao) Previously, the value shown would be wrong until at least one WAL record had been replayed. Fix regular expression back-references with * attached (Tom Lane) Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol. A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release. Fix recently-introduced memory leak in processing of inet/cidr values (Heikki Linnakangas) A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column. Fix planner's ability to push down index-expression restrictions through UNION ALL (Tom Lane) This type of optimization was inadvertently disabled by a fix for another problem in 9.1.2. Fix planning of WITH clauses referenced in UPDATE/DELETE on an inherited table (Tom Lane) This bug led to could not find plan for CTE failures. Fix GIN cost estimation to handle column IN (...) index conditions (Marti Raudsepp) This oversight would usually lead to crashes if such a condition could be used with a GIN index. Prevent assertion failure when exiting a session with an open, failed transaction (Tom Lane) This bug has no impact on normal builds with asserts not enabled. Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function (Tom Lane) In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible. Avoid double close of file handle in syslogger on Windows (MauMau) Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows. Fix I/O-conversion-related memory leaks in plpgsql (Andres Freund, Jan Urbanski, Tom Lane) Certain operations would leak memory until the end of the current function. Work around bug in perl's SvPVutf8() function (Andrew Dunstan) This function crashes when handed a typeglob or certain read-only objects such as $^V. Make plperl avoid passing those to it. In pg_dump, don't dump contents of an extension's configuration tables if the extension itself is not being dumped (Tom Lane) Improve pg_dump's handling of inherited table columns (Tom Lane) pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly. Fix pg_restore's direct-to-database mode for INSERT-style table data (Tom Lane) Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay. Teach pg_upgrade to handle renaming of plpython's shared library (Bruce Momjian) Upgrading a pre-9.1 database that included plpython would fail because of this oversight. Allow pg_upgrade to process tables containing regclass columns (Bruce Momjian) Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction. Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file (Magnus Hagander) This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null. Fix some more field alignment issues in ecpg's SQLDA area (Zoltan Boszormenyi) Allow AT option in ecpg DEALLOCATE statements (Michael Meskes) The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case. Do not use the variable name when defining a varchar structure in ecpg (Michael Meskes) Fix contrib/auto_explain's JSON output mode to produce valid JSON (Andrew Dunstan) The output used brackets at the top level, when it should have used braces. Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge) If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result. Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv() (Marko Kreen) These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input. Fix one-byte buffer overrun in contrib/test_parser (Paul Guyot) The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad. Use __sync_lock_test_and_set() for spinlocks on ARM, if available (Martin Pitt) This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation. Use -fexcess-precision=standard option when building with gcc versions that accept it (Andrew Dunstan) This prevents assorted scenarios wherein recent versions of gcc will produce creative results. Allow use of threaded Python on FreeBSD (Chris Rees) Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check. Allow MinGW builds to use standardly-named OpenSSL libraries (Tomasz Ostrowski) 2011-12-05 This release contains a variety of fixes from 9.1.1. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. However, a longstanding error was discovered in the definition of the information_schema.referential_constraints view. If you rely on correct results from that view, you should replace its definition as explained in the first changelog item below. Also, if you use the citext data type, and you upgraded from a previous major release by running pg_upgrade, you should run CREATE EXTENSION citext FROM unpackaged to avoid collation-related failures in citext operations. The same is necessary if you restore a dump from a pre-9.1 database that contains an instance of the citext data type. If you've already run the CREATE EXTENSION command before upgrading to 9.1.2, you will instead need to do manual catalog updates as explained in the second changelog item. Fix bugs in information_schema.referential_constraints view (Tom Lane) This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed. Make contrib/citext's upgrade script fix collations of citext columns and indexes (Tom Lane) Existing citext columns and indexes aren't correctly marked as being of a collatable data type during pg_upgrade from a pre-9.1 server, or when a pre-9.1 dump containing the citext type is loaded into a 9.1 server. That leads to operations on these columns failing with errors such as could not determine which collation to use for string comparison. This change allows them to be fixed by the same script that upgrades the citext module into a proper 9.1 extension during CREATE EXTENSION citext FROM unpackaged. If you have a previously-upgraded database that is suffering from this problem, and you already ran the CREATE EXTENSION command, you can manually run (as superuser) the UPDATE commands found at the end of SHAREDIR/extension/citext--unpackaged--1.0.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) There is no harm in doing this again if unsure. Fix possible crash during UPDATE or DELETE that joins to the output of a scalar-returning function (Tom Lane) A crash could only occur if the target row had been concurrently updated, so this problem surfaced only intermittently. Fix incorrect replay of WAL records for GIN index updates (Tom Lane) This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however. Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane) If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug. Fix possible failures during hot standby startup (Simon Riggs) Start hot standby faster when initial snapshot is incomplete (Simon Riggs) Fix race condition during toast table access from stale syscache entries (Tom Lane) The typical symptom was transient errors like missing chunk number 0 for toast value NNNNN in pg_toast_2619, where the cited toast table would always belong to a system catalog. Track dependencies of functions on items used in parameter default expressions (Tom Lane) Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended. Fix incorrect management of placeholder variables in nestloop joins (Tom Lane) This bug is known to lead to variable not found in subplan target list planner errors, and could possibly result in wrong query output when outer joins are involved. Fix window functions that sort by expressions involving aggregates (Tom Lane) Previously these could fail with could not find pathkey item to sort planner errors. Fix MergeAppend child's targetlist doesn't match MergeAppend planner errors (Tom Lane) Fix index matching for operators with both collatable and noncollatable inputs (Tom Lane) In 9.1.0, an indexable operator that has a non-collatable left-hand input type and a collatable right-hand input type would not be recognized as matching the left-hand column's index. An example is the hstore ? text operator. Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane) Don't trust deferred-unique indexes for join removal (Tom Lane and Marti Raudsepp) A deferred uniqueness constraint might not hold intra-transaction, so assuming that it does could give incorrect query results. Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not (Heikki Linnakangas) This change affects no core code, but might prevent crashes in add-on code that expects DatumGetInetP() to produce an unpacked datum as per usual convention. Improve locale support in money type's input and output (Tom Lane) Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read. Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas) transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE. Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane) For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention RI_ConstraintTrigger_NNNN. A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order. Fix IF EXISTS to work correctly in DROP OPERATOR FAMILY (Robert Haas) Disallow dropping of an extension from within its own script (Tom Lane) This prevents odd behavior in case of incorrect management of extension dependencies. Don't mark auto-generated types as extension members (Robert Haas) Relation rowtypes and automatically-generated array types do not need to have their own extension membership entries in pg_depend, and creating such entries complicates matters for extension upgrades. Cope with invalid pre-existing search_path settings during CREATE EXTENSION (Tom Lane) Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews) While harmless in itself, on certain platforms this would result in annoying kernel log messages. Prevent autovacuum transactions from running in serializable mode (Tom Lane) Autovacuum formerly used the cluster-wide default transaction isolation level, but there is no need for it to use anything higher than READ COMMITTED, and using SERIALIZABLE could result in unnecessary delays for other processes. Ensure walsender processes respond promptly to SIGTERM (Magnus Hagander) Exclude postmaster.opts from base backups (Magnus Hagander) Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane) Formerly, these would not be displayed correctly in the pg_settings view. Fix incorrect field alignment in ecpg's SQLDA area (Zoltan Boszormenyi) Preserve blank lines within commands in psql's command history (Robert Haas) The former behavior could cause problems if an empty line was removed from within a string literal, for example. Avoid platform-specific infinite loop in pg_dump (Steve Singer) Fix compression of plain-text output format in pg_dump (Adrian Klaver and Tom Lane) pg_dump has historically understood -Z with no -F switch to mean that it should emit a gzip-compressed version of its plain text output. Restore that behavior. Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane) Fix missed quoting of foreign server names in pg_dump (Tom Lane) Assorted fixes for pg_upgrade (Bruce Momjian) Handle exclusion constraints correctly, avoid failures on Windows, don't complain about mismatched toast table names in 8.4 databases. In PL/pgSQL, allow foreign tables to define row types (Alexander Soudakov) Fix up conversions of PL/Perl functions' results (Alex Hunsaker and Tom Lane) Restore the pre-9.1 behavior that PL/Perl functions returning void ignore the result value of their last Perl statement; 9.1.0 would throw an error if that statement returned a reference. Also, make sure it works to return a string value for a composite type, so long as the string meets the type's input format. In addition, throw errors for attempts to return Perl arrays or hashes when the function's declared result type is not an array or composite type, respectively. (Pre-9.1 versions rather uselessly returned strings like ARRAY(0x221a9a0) or HASH(0x221aa90) in such cases.) Ensure PL/Perl strings are always correctly UTF8-encoded (Amit Khandekar and Alex Hunsaker) Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker) Correctly propagate SQLSTATE in PL/Python exceptions (Mika Eloranta and Jan Urbanski) Do not install PL/Python extension files for Python major versions other than the one built against (Peter Eisentraut) Change all the contrib extension script files to report a useful error message if they are fed to psql (Andrew Dunstan and Tom Lane) This should help teach people about the new method of using CREATE EXTENSION to load these files. In most cases, sourcing the scripts directly would fail anyway, but with harder-to-interpret messages. Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane) Some functions incorrectly assumed that memory returned by palloc() is guaranteed zeroed. Remove contrib/sepgsql tests from the regular regression test mechanism (Tom Lane) Since these tests require root privileges for setup, they're impractical to run automatically. Switch over to a manual approach instead, and provide a testing script to help with that. Fix assorted errors in contrib/unaccent's configuration file parsing (Tom Lane) Honor query cancel interrupts promptly in pgstatindex() (Robert Haas) Fix incorrect quoting of log file name in Mac OS X start script (Sidar Lopez) Revert unintentional enabling of WAL_DEBUG (Robert Haas) Fortunately, as debugging tools go, this one is pretty cheap; but it's not intended to be enabled by default, so revert. Ensure VPATH builds properly install all server header files (Peter Eisentraut) Shorten file names reported in verbose error messages (Peter Eisentraut) Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name. Fix interpretation of Windows timezone names for Central America (Tom Lane) Map Central America Standard Time to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America. Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa. 2011-09-26 This release contains a small number of fixes from 9.1.0. For information about new features in the 9.1 major release, see . A dump/restore is not required for those running 9.1.X. Make pg_options_to_table return NULL for an option with no value (Tom Lane) Previously such cases would result in a server crash. Fix memory leak at end of a GiST index scan (Tom Lane) Commands that perform many separate GiST index scans, such as verification of a new GiST-based exclusion constraint on a table already containing many rows, could transiently require large amounts of memory due to this leak. Fix explicit reference to pg_temp schema in CREATE TEMPORARY TABLE (Robert Haas) This used to be allowed, but failed in 9.1.0. 2011-09-12 This release shows PostgreSQL moving beyond the traditional relational-database feature set with new, ground-breaking functionality that is unique to PostgreSQL. The streaming replication feature introduced in release 9.0 is significantly enhanced by adding a synchronous-replication option, streaming backups, and monitoring improvements. Major enhancements include: Allow synchronous replication Add support for foreign tables Add per-column collation support Add extensions which simplify packaging of additions to PostgreSQL Add a true serializable isolation level Support unlogged tables using the UNLOGGED option in CREATE TABLE Allow data-modification commands (INSERT/UPDATE/DELETE) in WITH clauses Add nearest-neighbor (order-by-operator) searching to GiST indexes Add a SECURITY LABEL command and support for SELinux permissions control Update the PL/Python server-side language The above items are explained in more detail in the sections below. A dump/restore using pg_dump, or use of pg_upgrade, is required for those wishing to migrate data from any previous release. Version 9.1 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities: Change the default value of standard_conforming_strings to on (Robert Haas) By default, backslashes are now ordinary characters in string literals, not escape characters. This change removes a long-standing incompatibility with the SQL standard. escape_string_warning has produced warnings about this usage for years. E'' strings are the proper way to embed backslash escapes in strings and are unaffected by this change. This change can break applications that are not expecting it and do their own string escaping according to the old rules. The consequences could be as severe as introducing SQL-injection security holes. Be sure to test applications that are exposed to untrusted input, to ensure that they correctly handle single quotes and backslashes in text strings. Disallow function-style and attribute-style data type casts for composite types (Tom Lane) For example, disallow composite_value.text and text(composite_value). Unintentional uses of this syntax have frequently resulted in bug reports; although it was not a bug, it seems better to go back to rejecting such expressions. The CAST and :: syntaxes are still available for use when a cast of an entire composite value is actually intended. Tighten casting checks for domains based on arrays (Tom Lane) When a domain is based on an array type, it is allowed to look through the domain type to access the array elements, including subscripting the domain value to fetch or assign an element. Assignment to an element of such a domain value, for instance via UPDATE ... SET domaincol[5] = ..., will now result in rechecking the domain type's constraints, whereas before the checks were skipped. Change string_to_array() to return an empty array for a zero-length string (Pavel Stehule) Previously this returned a null value. Change string_to_array() so a NULL separator splits the string into characters (Pavel Stehule) Previously this returned a null value. Fix improper checks for before/after triggers (Tom Lane) Triggers can now be fired in three cases: BEFORE, AFTER, or INSTEAD OF some action. Trigger function authors should verify that their logic behaves sanely in all three cases. Require superuser or CREATEROLE permissions in order to set comments on roles (Tom Lane) Change pg_last_xlog_receive_location() so it never moves backwards (Fujii Masao) Previously, the value of pg_last_xlog_receive_location() could move backward when streaming replication is restarted. Have logging of replication connections honor log_connections (Magnus Hagander) Previously, replication connections were always logged. Change PL/pgSQL's RAISE command without parameters to be catchable by the attached exception block (Piyush Newe) Previously RAISE in a code block was always scoped to an attached exception block, so it was uncatchable at the same scope. Adjust PL/pgSQL's error line numbering code to be consistent with other PLs (Pavel Stehule) Previously, PL/pgSQL would ignore (not count) an empty line at the start of the function body. Since this was inconsistent with all other languages, the special case was removed. Make PL/pgSQL complain about conflicting IN and OUT parameter names (Tom Lane) Formerly, the collision was not detected, and the name would just silently refer to only the OUT parameter. Type modifiers of PL/pgSQL variables are now visible to the SQL parser (Tom Lane) A type modifier (such as a varchar length limit) attached to a PL/pgSQL variable was formerly enforced during assignments, but was ignored for all other purposes. Such variables will now behave more like table columns declared with the same modifier. This is not expected to make any visible difference in most cases, but it could result in subtle changes for some SQL commands issued by PL/pgSQL functions. All contrib modules are now installed with CREATE EXTENSION rather than by manually invoking their SQL scripts (Dimitri Fontaine, Tom Lane) To update an existing database containing the 9.0 version of a contrib module, use CREATE EXTENSION ... FROM unpackaged to wrap the existing contrib module's objects into an extension. When updating from a pre-9.0 version, drop the contrib module's objects using its old uninstall script, then use CREATE EXTENSION. Make pg_stat_reset() reset all database-level statistics (Tomas Vondra) Some pg_stat_database counters were not being reset. Fix some information_schema.triggers column names to match the new SQL-standard names (Dean Rasheed) Treat ECPG cursor names as case-insensitive (Zoltan Boszormenyi) Below you will find a detailed account of the changes between PostgreSQL 9.1 and the previous major release. Support unlogged tables using the UNLOGGED option in CREATE TABLE (Robert Haas) Such tables provide better update performance than regular tables, but are not crash-safe: their contents are automatically cleared in case of a server crash. Their contents do not propagate to replication slaves, either. Allow FULL OUTER JOIN to be implemented as a hash join, and allow either side of a LEFT OUTER JOIN or RIGHT OUTER JOIN to be hashed (Tom Lane) Previously FULL OUTER JOIN could only be implemented as a merge join, and LEFT OUTER JOIN and RIGHT OUTER JOIN could hash only the nullable side of the join. These changes provide additional query optimization possibilities. Merge duplicate fsync requests (Robert Haas, Greg Smith) This greatly improves performance under heavy write loads. Improve performance of commit_siblings (Greg Smith) This allows the use of commit_siblings with less overhead. Reduce the memory requirement for large ispell dictionaries (Pavel Stehule, Tom Lane) Avoid leaving data files open after blind writes (Alvaro Herrera) This fixes scenarios in which backends might hold files open long after they were deleted, preventing the kernel from reclaiming disk space. Allow inheritance table scans to return meaningfully-sorted results (Greg Stark, Hans-Jurgen Schonig, Robert Haas, Tom Lane) This allows better optimization of queries that use ORDER BY, LIMIT, or MIN/MAX with inherited tables. Improve GIN index scan cost estimation (Teodor Sigaev) Improve cost estimation for aggregates and window functions (Tom Lane) Support host names and host suffixes (e.g. .example.com) in pg_hba.conf (Peter Eisentraut) Previously only host IP addresses and CIDR values were supported. Support the key word all in the host column of pg_hba.conf (Peter Eisentraut) Previously people used 0.0.0.0/0 or ::/0 for this. Reject local lines in pg_hba.conf on platforms that don't support Unix-socket connections (Magnus Hagander) Formerly, such lines were silently ignored, which could be surprising. This makes the behavior more like other unsupported cases. Allow GSSAPI to be used to authenticate to servers via SSPI (Christian Ullrich) Specifically this allows Unix-based GSSAPI clients to do SSPI authentication with Windows servers. ident authentication over local sockets is now known as peer (Magnus Hagander) The old term is still accepted for backward compatibility, but since the two methods are fundamentally different, it seemed better to adopt different names for them. Rewrite peer authentication to avoid use of credential control messages (Tom Lane) This change makes the peer authentication code simpler and better-performing. However, it requires the platform to provide the getpeereid function or an equivalent socket operation. So far as is known, the only platform for which peer authentication worked before and now will not is pre-5.0 NetBSD. Add details to the logging of restartpoints and checkpoints, which is controlled by log_checkpoints (Fujii Masao, Greg Smith) New details include WAL file and sync activity. Add log_file_mode which controls the permissions on log files created by the logging collector (Martin Pihlak) Reduce the default maximum line length for syslog logging to 900 bytes plus prefixes (Noah Misch) This avoids truncation of long log lines on syslog implementations that have a 1KB length limit, rather than the more common 2KB. Add client_hostname column to pg_stat_activity (Peter Eisentraut) Previously only the client address was reported. Add pg_stat_xact_* statistics functions and views (Joel Jacobson) These are like the database-wide statistics counter views, but reflect counts for only the current transaction. Add time of last reset in database-level and background writer statistics views (Tomas Vondra) Add columns showing the number of vacuum and analyze operations in pg_stat_*_tables views (Magnus Hagander) Add buffers_backend_fsync column to pg_stat_bgwriter (Greg Smith) This new column counts the number of times a backend fsyncs a buffer. Provide auto-tuning of wal_buffers (Greg Smith) By default, the value of wal_buffers is now chosen automatically based on the value of shared_buffers. Increase the maximum values for deadlock_timeout, log_min_duration_statement, and log_autovacuum_min_duration (Peter Eisentraut) The maximum value for each of these parameters was previously only about 35 minutes. Much larger values are now allowed. Allow synchronous replication (Simon Riggs, Fujii Masao) This allows the primary server to wait for a standby to write a transaction's information to disk before acknowledging the commit. One standby at a time can take the role of the synchronous standby, as controlled by the synchronous_standby_names setting. Synchronous replication can be enabled or disabled on a per-transaction basis using the synchronous_commit setting. Add protocol support for sending file system backups to standby servers using the streaming replication network connection (Magnus Hagander, Heikki Linnakangas) This avoids the requirement of manually transferring a file system backup when setting up a standby server. Add replication_timeout setting (Fujii Masao, Heikki Linnakangas) Replication connections that are idle for more than the replication_timeout interval will be terminated automatically. Formerly, a failed connection was typically not detected until the TCP timeout elapsed, which is inconveniently long in many situations. Add command-line tool pg_basebackup for creating a new standby server or database backup (Magnus Hagander) Add a replication permission for roles (Magnus Hagander) This is a read-only permission used for streaming replication. It allows a non-superuser role to be used for replication connections. Previously only superusers could initiate replication connections; superusers still have this permission by default. Add system view pg_stat_replication which displays activity of WAL sender processes (Itagaki Takahiro, Simon Riggs) This reports the status of all connected standby servers. Add monitoring function pg_last_xact_replay_timestamp() (Fujii Masao) This returns the time at which the primary generated the most recent commit or abort record applied on the standby. Add configuration parameter hot_standby_feedback to enable standbys to postpone cleanup of old row versions on the primary (Simon Riggs) This helps avoid canceling long-running queries on the standby. Add the pg_stat_database_conflicts system view to show queries that have been canceled and the reason (Magnus Hagander) Cancellations can occur because of dropped tablespaces, lock timeouts, old snapshots, pinned buffers, and deadlocks. Add a conflicts count to pg_stat_database (Magnus Hagander) This is the number of conflicts that occurred in the database. Increase the maximum values for max_standby_archive_delay and max_standby_streaming_delay The maximum value for each of these parameters was previously only about 35 minutes. Much larger values are now allowed. Add ERRCODE_T_R_DATABASE_DROPPED error code to report recovery conflicts due to dropped databases (Tatsuo Ishii) This is useful for connection pooling software. Add functions to control streaming replication replay (Simon Riggs) The new functions are pg_xlog_replay_pause(), pg_xlog_replay_resume(), and the status function pg_is_xlog_replay_paused(). Add recovery.conf setting pause_at_recovery_target to pause recovery at target (Simon Riggs) This allows a recovery server to be queried to check whether the recovery point is the one desired. Add the ability to create named restore points using pg_create_restore_point() (Jaime Casanova) These named restore points can be specified as recovery targets using the new recovery.conf setting recovery_target_name. Allow standby recovery to switch to a new timeline automatically (Heikki Linnakangas) Now standby servers scan the archive directory for new timelines periodically. Add restart_after_crash setting which disables automatic server restart after a backend crash (Robert Haas) This allows external cluster management software to control whether the database server restarts or not. Allow recovery.conf to use the same quoting behavior as postgresql.conf (Dimitri Fontaine) Previously all values had to be quoted. Add a true serializable isolation level (Kevin Grittner, Dan Ports) Previously, asking for serializable isolation guaranteed only that a single MVCC snapshot would be used for the entire transaction, which allowed certain documented anomalies. The old snapshot isolation behavior is still available by requesting the REPEATABLE READ isolation level. Allow data-modification commands (INSERT/UPDATE/DELETE) in WITH clauses (Marko Tiikkaja, Hitoshi Harada) These commands can use RETURNING to pass data up to the containing query. Allow WITH clauses to be attached to INSERT, UPDATE, DELETE statements (Marko Tiikkaja, Hitoshi Harada) Allow non-GROUP BY columns in the query target list when the primary key is specified in the GROUP BY clause (Peter Eisentraut) The SQL standard allows this behavior, and because of the primary key, the result is unambiguous. Allow use of the key word DISTINCT in UNION/INTERSECT/EXCEPT clauses (Tom Lane) DISTINCT is the default behavior so use of this key word is redundant, but the SQL standard allows it. Fix ordinary queries with rules to use the same snapshot behavior as EXPLAIN ANALYZE (Marko Tiikkaja) Previously EXPLAIN ANALYZE used slightly different snapshot timing for queries involving rules. The EXPLAIN ANALYZE behavior was judged to be more logical. Add per-column collation support (Peter Eisentraut, Tom Lane) Previously collation (the sort ordering of text strings) could only be chosen at database creation. Collation can now be set per column, domain, index, or expression, via the SQL-standard COLLATE clause. Add extensions which simplify packaging of additions to PostgreSQL (Dimitri Fontaine, Tom Lane) Extensions are controlled by the new CREATE/ALTER/DROP EXTENSION commands. This replaces ad-hoc methods of grouping objects that are added to a PostgreSQL installation. Add support for foreign tables (Shigeru Hanada, Robert Haas, Jan Urbanski, Heikki Linnakangas) This allows data stored outside the database to be used like native PostgreSQL-stored data. Foreign tables are currently read-only, however. Allow new values to be added to an existing enum type via ALTER TYPE (Andrew Dunstan) Add ALTER TYPE ... ADD/DROP/ALTER/RENAME ATTRIBUTE (Peter Eisentraut) This allows modification of composite types. Add RESTRICT/CASCADE to ALTER TYPE operations on typed tables (Peter Eisentraut) This controls ADD/DROP/ALTER/RENAME ATTRIBUTE cascading behavior. Support ALTER TABLE name {OF | NOT OF} type (Noah Misch) This syntax allows a standalone table to be made into a typed table, or a typed table to be made standalone. Add support for more object types in ALTER ... SET SCHEMA commands (Dimitri Fontaine) This command is now supported for conversions, operators, operator classes, operator families, text search configurations, text search dictionaries, text search parsers, and text search templates. Add ALTER TABLE ... ADD UNIQUE/PRIMARY KEY USING INDEX (Gurjeet Singh) This allows a primary key or unique constraint to be defined using an existing unique index, including a concurrently created unique index. Allow ALTER TABLE to add foreign keys without validation (Simon Riggs) The new option is called NOT VALID. The constraint's state can later be modified to VALIDATED and validation checks performed. Together these allow you to add a foreign key with minimal impact on read and write operations. Allow ALTER TABLE ... SET DATA TYPE to avoid table rewrites in appropriate cases (Noah Misch, Robert Haas) For example, converting a varchar column to text no longer requires a rewrite of the table. However, increasing the length constraint on a varchar column still requires a table rewrite. Add CREATE TABLE IF NOT EXISTS syntax (Robert Haas) This allows table creation without causing an error if the table already exists. Fix possible tuple concurrently updated error when two backends attempt to add an inheritance child to the same table at the same time (Robert Haas) ALTER TABLE now takes a stronger lock on the parent table, so that the sessions cannot try to update it simultaneously. Add a SECURITY LABEL command (KaiGai Kohei) This allows security labels to be assigned to objects. Add transaction-level advisory locks (Marko Tiikkaja) These are similar to the existing session-level advisory locks, but such locks are automatically released at transaction end. Make TRUNCATE ... RESTART IDENTITY restart sequences transactionally (Steve Singer) Previously the counter could have been left out of sync if a backend crashed between the on-commit truncation activity and commit completion. Add ENCODING option to COPY TO/FROM (Hitoshi Harada, Itagaki Takahiro) This allows the encoding of the COPY file to be specified separately from client encoding. Add bidirectional COPY protocol support (Fujii Masao) This is currently only used by streaming replication. Make EXPLAIN VERBOSE show the function call expression in a FunctionScan node (Tom Lane) Add additional details to the output of VACUUM FULL VERBOSE and CLUSTER VERBOSE (Itagaki Takahiro) New information includes the live and dead tuple count and whether CLUSTER is using an index to rebuild. Prevent autovacuum from waiting if it cannot acquire a table lock (Robert Haas) It will try to vacuum that table later. Allow CLUSTER to sort the table rather than scanning the index when it seems likely to be cheaper (Leonardo Francalanci) Add nearest-neighbor (order-by-operator) searching to GiST indexes (Teodor Sigaev, Tom Lane) This allows GiST indexes to quickly return the N closest values in a query with LIMIT. For example point '(101,456)' LIMIT 10; ]]> finds the ten places closest to a given target point. Allow GIN indexes to index null and empty values (Tom Lane) This allows full GIN index scans, and fixes various corner cases in which GIN scans would fail. Allow GIN indexes to better recognize duplicate search entries (Tom Lane) This reduces the cost of index scans, especially in cases where it avoids unnecessary full index scans. Fix GiST indexes to be fully crash-safe (Heikki Linnakangas) Previously there were rare cases where a REINDEX would be required (you would be informed). Allow numeric to use a more compact, two-byte header in common cases (Robert Haas) Previously all numeric values had four-byte headers; this change saves on disk storage. Add support for dividing money by money (Andy Balholm) Allow binary I/O on type void (Radoslaw Smogura) Improve hypotenuse calculations for geometric operators (Paul Matthews) This avoids unnecessary overflows, and may also be more accurate. Support hashing array values (Tom Lane) This provides additional query optimization possibilities. Don't treat a composite type as sortable unless all its column types are sortable (Tom Lane) This avoids possible could not identify a comparison function failures at runtime, if it is possible to implement the query without sorting. Also, ANALYZE won't try to use inappropriate statistics-gathering methods for columns of such composite types. Add support for casting between money and numeric (Andy Balholm) Add support for casting from int4 and int8 to money (Joey Adams) Allow casting a table's row type to the table's supertype if it's a typed table (Peter Eisentraut) This is analogous to the existing facility that allows casting a row type to a supertable's row type. Add XML function XMLEXISTS and xpath_exists() functions (Mike Fowler) These are used for XPath matching. Add XML functions xml_is_well_formed(), xml_is_well_formed_document(), xml_is_well_formed_content() (Mike Fowler) These check whether the input is properly-formed XML. They provide functionality that was previously available only in the deprecated contrib/xml2 module. Add SQL function format(text, ...), which behaves analogously to C's printf() (Pavel Stehule, Robert Haas) It currently supports formats for strings, SQL literals, and SQL identifiers. Add string functions concat(), concat_ws(), left(), right(), and reverse() (Pavel Stehule) These improve compatibility with other database products. Add function pg_read_binary_file() to read binary files (Dimitri Fontaine, Itagaki Takahiro) Add a single-parameter version of function pg_read_file() to read an entire file (Dimitri Fontaine, Itagaki Takahiro) Add three-parameter forms of array_to_string() and string_to_array() for null value processing control (Pavel Stehule) Add the pg_describe_object() function (Alvaro Herrera) This function is used to obtain a human-readable string describing an object, based on the pg_class OID, object OID, and sub-object ID. It can be used to help interpret the contents of pg_depend. Update comments for built-in operators and their underlying functions (Tom Lane) Functions that are meant to be used via an associated operator are now commented as such. Add variable quote_all_identifiers to force the quoting of all identifiers in EXPLAIN and in system catalog functions like pg_get_viewdef() (Robert Haas) This makes exporting schemas to tools and other databases with different quoting rules easier. Add columns to the information_schema.sequences system view (Peter Eisentraut) Previously, though the view existed, the columns about the sequence parameters were unimplemented. Allow public as a pseudo-role name in has_table_privilege() and related functions (Alvaro Herrera) This allows checking for public permissions. Support INSTEAD OF triggers on views (Dean Rasheed) This feature can be used to implement fully updatable views. Add FOREACH IN ARRAY to PL/pgSQL (Pavel Stehule) This is more efficient and readable than previous methods of iterating through the elements of an array value. Allow RAISE without parameters to be caught in the same places that could catch a RAISE ERROR from the same location (Piyush Newe) The previous coding threw the error from the block containing the active exception handler. The new behavior is more consistent with other DBMS products. Allow generic record arguments to PL/Perl functions (Andrew Dunstan) PL/Perl functions can now be declared to accept type record. The behavior is the same as for any named composite type. Convert PL/Perl array arguments to Perl arrays (Alexey Klyukin, Alex Hunsaker) String representations are still available. Convert PL/Perl composite-type arguments to Perl hashes (Alexey Klyukin, Alex Hunsaker) String representations are still available. Add table function support for PL/Python (Jan Urbanski) PL/Python can now return multiple OUT parameters and record sets. Add a validator to PL/Python (Jan Urbanski) This allows PL/Python functions to be syntax-checked at function creation time. Allow exceptions for SQL queries in PL/Python (Jan Urbanski) This allows access to SQL-generated exception error codes from PL/Python exception blocks. Add explicit subtransactions to PL/Python (Jan Urbanski) Add PL/Python functions for quoting strings (Jan Urbanski) These functions are plpy.quote_ident, plpy.quote_literal, and plpy.quote_nullable. Add traceback information to PL/Python errors (Jan Urbanski) Report PL/Python errors from iterators with PLy_elog (Jan Urbanski) Fix exception handling with Python 3 (Jan Urbanski) Exception classes were previously not available in plpy under Python 3. Mark createlang and droplang as deprecated now that they just invoke extension commands (Tom Lane) Add psql command \conninfo to show current connection information (David Christensen) Add psql command \sf to show a function's definition (Pavel Stehule) Add psql command \dL to list languages (Fernando Ike) Add the S (system) option to psql's \dn (list schemas) command (Tom Lane) \dn without S now suppresses system schemas. Allow psql's \e and \ef commands to accept a line number to be used to position the cursor in the editor (Pavel Stehule) This is passed to the editor according to the PSQL_EDITOR_LINENUMBER_ARG environment variable. Have psql set the client encoding from the operating system locale by default (Heikki Linnakangas) This only happens if the PGCLIENTENCODING environment variable is not set. Make \d distinguish between unique indexes and unique constraints (Josh Kupershmidt) Make \dt+ report pg_table_size instead of pg_relation_size when talking to 9.0 or later servers (Bernd Helmle) This is a more useful measure of table size, but note that it is not identical to what was previously reported in the same display. Additional tab completion support (Itagaki Takahiro, Pavel Stehule, Andrey Popp, Christoph Berg, David Fetter, Josh Kupershmidt) Add pg_dump and pg_dumpall option --quote-all-identifiers to force quoting of all identifiers (Robert Haas) Add directory format to pg_dump (Joachim Wieland, Heikki Linnakangas) This is internally similar to the tar pg_dump format. Fix pg_ctl so it no longer incorrectly reports that the server is not running (Bruce Momjian) Previously this could happen if the server was running but pg_ctl could not authenticate. Improve pg_ctl start's wait (-w) option (Bruce Momjian, Tom Lane) The wait mode is now significantly more robust. It will not get confused by non-default postmaster port numbers, non-default Unix-domain socket locations, permission problems, or stale postmaster lock files. Add promote option to pg_ctl to switch a standby server to primary (Fujii Masao) Add a libpq connection option client_encoding which behaves like the PGCLIENTENCODING environment variable (Heikki Linnakangas) The value auto sets the client encoding based on the operating system locale. Add PQlibVersion() function which returns the libpq library version (Magnus Hagander) libpq already had PQserverVersion() which returns the server version. Allow libpq-using clients to check the user name of the server process when connecting via Unix-domain sockets, with the new requirepeer connection option (Peter Eisentraut) PostgreSQL already allowed servers to check the client user name when connecting via Unix-domain sockets. Add PQping() and PQpingParams() to libpq (Bruce Momjian, Tom Lane) These functions allow detection of the server's status without trying to open a new session. Allow ECPG to accept dynamic cursor names even in WHERE CURRENT OF clauses (Zoltan Boszormenyi) Make ecpglib write double values with a precision of 15 digits, not 14 as formerly (Akira Kurosawa) Use +Olibmerrno compile flag with HP-UX C compilers that accept it (Ibrar Ahmed) This avoids possible misbehavior of math library calls on recent HP platforms. Improved parallel make support (Peter Eisentraut) This allows for faster compiles. Also, make -k now works more consistently. Require GNU make 3.80 or newer (Peter Eisentraut) This is necessary because of the parallel-make improvements. Add make maintainer-check target (Peter Eisentraut) This target performs various source code checks that are not appropriate for either the build or the regression tests. Currently: duplicate_oids, SGML syntax and tabs check, NLS syntax check. Support make check in contrib (Peter Eisentraut) Formerly only make installcheck worked, but now there is support for testing in a temporary installation. The top-level make check-world target now includes testing contrib this way. On Windows, allow pg_ctl to register the service as auto-start or start-on-demand (Quan Zongliang) Add support for collecting crash dumps on Windows (Craig Ringer, Magnus Hagander) minidumps can now be generated by non-debug Windows binaries and analyzed by standard debugging tools. Enable building with the MinGW64 compiler (Andrew Dunstan) This allows building 64-bit Windows binaries even on non-Windows platforms via cross-compiling. Revise the API for GUC variable assign hooks (Tom Lane) The previous functions of assign hooks are now split between check hooks and assign hooks, where the former can fail but the latter shouldn't. This change will impact add-on modules that define custom GUC parameters. Add latches to the source code to support waiting for events (Heikki Linnakangas) Centralize data modification permissions-checking logic (KaiGai Kohei) Add missing get_object_oid() functions, for consistency (Robert Haas) Improve ability to use C++ compilers for compiling add-on modules by removing conflicting key words (Tom Lane) Add support for DragonFly BSD (Rumko) Expose quote_literal_cstr() for backend use (Robert Haas) Run regression tests in the default encoding (Peter Eisentraut) Regression tests were previously always run with SQL_ASCII encoding. Add src/tools/git_changelog to replace cvs2cl and pgcvslog (Robert Haas, Tom Lane) Add git-external-diff script to src/tools (Bruce Momjian) This is used to generate context diffs from git. Improve support for building with Clang (Peter Eisentraut) Add source code hooks to check permissions (Robert Haas, Stephen Frost) Add post-object-creation function hooks for use by security frameworks (KaiGai Kohei) Add a client authentication hook (KaiGai Kohei) Modify contrib modules and procedural languages to install via the new extension mechanism (Tom Lane, Dimitri Fontaine) Add contrib/file_fdw foreign-data wrapper (Shigeru Hanada) Foreign tables using this foreign data wrapper can read flat files in a manner very similar to COPY. Add nearest-neighbor search support to contrib/pg_trgm and contrib/btree_gist (Teodor Sigaev) Add contrib/btree_gist support for searching on not-equals (Jeff Davis) Fix contrib/fuzzystrmatch's levenshtein() function to handle multibyte characters (Alexander Korotkov) Add ssl_cipher() and ssl_version() functions to contrib/sslinfo (Robert Haas) Fix contrib/intarray and contrib/hstore to give consistent results with indexed empty arrays (Tom Lane) Previously an empty-array query that used an index might return different results from one that used a sequential scan. Allow contrib/intarray to work properly on multidimensional arrays (Tom Lane) In contrib/intarray, avoid errors complaining about the presence of nulls in cases where no nulls are actually present (Tom Lane) In contrib/intarray, fix behavior of containment operators with respect to empty arrays (Tom Lane) Empty arrays are now correctly considered to be contained in any other array. Remove contrib/xml2's arbitrary limit on the number of parameter=value pairs that can be handled by xslt_process() (Pavel Stehule) The previous limit was 10. In contrib/pageinspect, fix heap_page_item to return infomasks as 32-bit values (Alvaro Herrera) This avoids returning negative values, which was confusing. The underlying value is a 16-bit unsigned integer. Add contrib/sepgsql to interface permission checks with SELinux (KaiGai Kohei) This uses the new SECURITY LABEL facility. Add contrib module auth_delay (KaiGai Kohei) This causes the server to pause before returning authentication failure; it is designed to make brute force password attacks more difficult. Add dummy_seclabel contrib module (KaiGai Kohei) This is used for permission regression testing. Add support for LIKE and ILIKE index searches to contrib/pg_trgm (Alexander Korotkov) Add levenshtein_less_equal() function to contrib/fuzzystrmatch, which is optimized for small distances (Alexander Korotkov) Improve performance of index lookups on contrib/seg columns (Alexander Korotkov) Improve performance of pg_upgrade for databases with many relations (Bruce Momjian) Add flag to contrib/pgbench to report per-statement latencies (Florian Pflug) Move src/tools/test_fsync to contrib/pg_test_fsync (Bruce Momjian, Tom Lane) Add O_DIRECT support to contrib/pg_test_fsync (Bruce Momjian) This matches the use of O_DIRECT by wal_sync_method. Add new tests to contrib/pg_test_fsync (Bruce Momjian) Extensive ECPG documentation improvements (Satoshi Nagayasu) Extensive proofreading and documentation improvements (Thom Brown, Josh Kupershmidt, Susanne Ebrecht) Add documentation for exit_on_error (Robert Haas) This parameter causes sessions to exit on any error. Add documentation for pg_options_to_table() (Josh Berkus) This function shows table storage options in a readable form. Document that it is possible to access all composite type fields using (compositeval).* syntax (Peter Eisentraut) Document that translate() removes characters in from that don't have a corresponding to character (Josh Kupershmidt) Merge documentation for CREATE CONSTRAINT TRIGGER and CREATE TRIGGER (Alvaro Herrera) Centralize permission and upgrade documentation (Bruce Momjian) Add kernel tuning documentation for Solaris 10 (Josh Berkus) Previously only Solaris 9 kernel tuning was documented. Handle non-ASCII characters consistently in HISTORY file (Peter Eisentraut) While the HISTORY file is in English, we do have to deal with non-ASCII letters in contributor names. These are now transliterated so that they are reasonably legible without assumptions about character set.