Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)

Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. Relevant documentation appears in Section 5.8.6 (for database administrators and users), Section 33.1 (for application authors), Section 37.15.6 (for extension authors), and CREATE FUNCTION (for authors of SECURITY DEFINER functions). (CVE-2018-1058)

Avoid use of insecure search_path settings in pg_dump and other client programs (Noah Misch, Tom Lane)

pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well.

In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058)

Prevent logical replication from trying to ship changes for unpublishable relations (Peter Eisentraut)

A publication marked FOR ALL TABLES would incorrectly ship changes in materialized views and information_schema tables, which are supposed to be omitted from the change stream.

Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)

If a CTE (WITH clause reference) is used in an InitPlan or SubPlan, and the query requires a recheck due to trying to update or lock a concurrently-updated row, incorrect results could be obtained.

Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)

These mistakes led to « left and right pathkeys do not match in mergejoin » or « outer pathkeys do not match mergeclauses » planner errors in corner cases.

Repair pg_upgrade's failure to preserve relfrozenxid for materialized views (Tom Lane, Andres Freund)

This oversight could lead to data corruption in materialized views after an upgrade, manifesting as « could not access status of transaction » or « found xmin from before relfrozenxid » errors. The problem would be more likely to occur in seldom-refreshed materialized views, or ones that were maintained only with REFRESH MATERIALIZED VIEW CONCURRENTLY.

If such corruption is observed, it can be repaired by refreshing the materialized view (without CONCURRENTLY).

Fix incorrect pg_dump output for some non-default sequence limit values (Alexey Bashtanov)

Fix pg_dump's mishandling of STATISTICS objects (Tom Lane)

An extended statistics object's schema was mislabeled in the dump's table of contents, possibly leading to the wrong results in a schema-selective restore. Its ownership was not correctly restored, either. Also, change the logic so that statistics objects are dumped/restored, or not, as independent objects rather than tying them to the dump/restore decision for the table they are on. The original definition could not scale to the planned future extension to cross-table statistics.

Fix incorrect reporting of PL/Python function names in error CONTEXT stacks (Tom Lane)

An error occurring within a nested PL/Python function call (that is, one reached via a SPI query from another PL/Python function) would result in a stack trace showing the inner function's name twice, rather than the expected results. Also, an error in a nested PL/Python DO block could result in a null pointer dereference crash on some platforms.

Allow contrib/auto_explain's log_min_duration setting to range up to INT_MAX, or about 24 days instead of 35 minutes (Tom Lane)

Mark assorted GUC variables as PGDLLIMPORT, to ease porting extension modules to Windows (Metin Doslu)