Release date: 2022-05-12
This release contains a variety of fixes from 10.20. For information about new features in major release 10, see Section E.24.
The PostgreSQL community will stop releasing updates for the 10.X release series in November 2022. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.19, see Section E.5.
Confine additional operations within « security restricted operation » sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE
INDEX
, REINDEX
, REFRESH
MATERIALIZED VIEW
,
and pg_amcheck activated
the « security restricted operation » protection
mechanism too late, or even not at all in some code paths.
A user having permission to create non-temporary objects within a
database could define an object that would execute arbitrary SQL
code with superuser permissions the next time that autovacuum
processed the object, or that some superuser ran one of the affected
commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such
as tbl.*
in contexts other than the top level of
a SELECT
list) are now always those of the
associated named composite type, if there is one. We'd previously
attempted to make them track any column aliases that had been
applied to the FROM
entry the variable refers to.
But that's semantically dubious, because really then the output of
the variable is not at all of the composite type it claims to be.
Previous attempts to deal with that inconsistency had bad results up
to and including storing unreadable data on disk, so just give up on
the whole idea.
In cases where it's important to be able to relabel such columns,
a workaround is to introduce an extra level of
sub-SELECT
, so that the whole-row variable is
referring to the sub-SELECT
's output and not to a
plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with
zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs
that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a
function's parallelism property and
its SET
-variable list in the same command (Tom
Lane)
The parallelism property change was lost if the same command also
updated the function's SET
clause.
Fix mis-sorting of table rows when CLUSTER
ing
using an index whose leading key is an expression (Peter Geoghegan,
Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix race condition between DROP TABLESPACE
and
checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could
sometimes fail to remove all dead files from the tablespace's
directory, leading to a bogus « tablespace is not empty »
error.
Fix possible trouble in crash recovery after
a TRUNCATE
command that overlaps a checkpoint
(Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file
is truncated before the checkpoint is allowed to complete.
Otherwise, replay starting from that checkpoint might find
unexpected data in the supposedly-removed pages, possibly causing
replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with « FATAL: cannot fetch toast data without an active snapshot ». This was usually harmless since the next use of that temporary schema would clean up successfully.
Fix « PANIC: xlog flush request is not satisfied » failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Ensure that logical replication apply workers can be restarted even
when we're up against
the max_sync_workers_per_subscription
limit
(Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)
v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: « table XYZ not found on publisher ». Arrange to deliver a more on-point message.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules
for safe ownership and permissions of SSL key files with the rules
the server has used since release 9.6. Namely, in addition to the
current rules, allow the case where the key file is owned by root
and has permissions rw-r-----
or less. This is
helpful for system-wide management of key files.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Ensure that contrib/pageinspect
functions cope
with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against
incorrect page « special space » contents, tighten checks
for correct page size, and add some missing checks that an index is
of the expected type (Michael Paquier, Justin Pryzby, Julien
Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify
that ORDER BY
clauses are safe to ship before
requesting a remotely-ordered query, and include
a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Clean up assorted failures under clang's
-fsanitize=undefined
checks (Tom Lane, Andres
Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.