Release date: 2019-05-09
This release contains a variety of fixes from 10.7. For information about new features in major release 10, see Section E.24.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.6, see Section E.18.
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined
operators to values found in pg_statistic
(e.g., most-common values). A leaky operator therefore can disclose
some of the entries in a data column, even if the calling user lacks
permission to read that column. In CVE-2017-7484 we added
restrictions to forestall that, but we failed to consider the
effects of row-level security. A user who has SQL permission to
read a column, but who is forbidden to see certain rows due to RLS
policy, might still learn something about those rows' contents via a
leaky operator. This patch further tightens the rules, allowing
leaky operators to be applied to statistics data only when there is
no relevant RLS policy. (CVE-2019-10130)
Avoid catalog corruption when a temporary table with ON
COMMIT DROP
and an identity column is created in a
single-statement transaction (Peter Eisentraut)
This hazard was overlooked because the case is not actually useful, since the temporary table would be dropped immediately after creation.
Avoid crash when an EPQ recheck is performed for a partitioned query result relation (Amit Langote)
This occurs when using READ COMMITTED
isolation
level and another session has concurrently updated some of the
target row(s).
Fix behavior for an UPDATE
or DELETE
on an inheritance tree or partitioned
table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output
columns when a RETURNING
clause was present, and
if there were any statement-level triggers that should be fired, it
didn't fire them.
Avoid throwing incorrect errors for updates of temporary tables and
unlogged tables when a FOR ALL TABLES
publication
exists (Peter Eisentraut)
Such tables should be ignored for publication purposes, but some parts of the code failed to do so.
Fix handling of explicit DEFAULT
items in
an INSERT ... VALUES
command with
multiple VALUES
rows, if the target relation is
an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its
underlying table has one, a single-row INSERT
... VALUES
will use the underlying table's default.
In the multi-row case, however, NULL was always used. Correct it to
act like the single-row case.
Fix CREATE VIEW
to allow zero-column views
(Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
Add missing support for CREATE TABLE IF NOT EXISTS ... AS
EXECUTE ...
(Andreas Karlsson)
The combination of IF NOT EXISTS
and EXECUTE
should work, but the grammar omitted
it.
Ensure that sub-SELECT
s appearing in
row-level-security policy expressions are executed with the correct
user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
Accept XML documents as valid values of type xml
when xmloption
is set
to content
, as required by SQL:2006 and later
(Chapman Flack)
Previously PostgreSQL followed the
SQL:2003 definition, which doesn't allow this. But that creates a
serious problem for dump/restore: there is no setting
of xmloption
that will accept all valid XML data.
Hence, switch to the 2006 definition.
pg_dump is also modified to emit
SET xmloption = content
while restoring data,
ensuring that dump/restore works even if the prevailing
setting is document
.
Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still
active processes from a previous postmaster incarnation, even if
the postmaster.pid
file has been removed.
Avoid counting parallel workers' transactions as separate transactions (Haribabu Kommi)
Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
Fix possible crash while executing a SHOW
command
in a replication connection (Michael Paquier)
Avoid memory leak when a partition's relation cache entry is rebuilt (Amit Langote, Tom Lane)
Tolerate EINVAL
and ENOSYS
error results, where appropriate, for fsync
and sync_file_range
calls
(Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means « operation not supported ».
Report correct relation name in
autovacuum's pg_stat_activity
display
during BRIN summarize operations (Álvaro Herrera)
Fix « failed to build any N
-way
joins » planner failures with lateral references leading out
of FULL
outer joins (Tom Lane)
Fix misplanning of queries in which a set-returning function is applied to a relation that is provably empty (Tom Lane, Julien Rouhaud)
In v10, this oversight only led to slightly inefficient plans, but in v11 it could cause « set-valued function called in context that cannot accept a set » errors.
Check the appropriate user's permissions when enforcing rules about
letting a leaky operator see pg_statistic
data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
Speed up planning when there are many equality conditions and many potentially-relevant foreign key constraints (David Rowley)
Avoid O(N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
Fix corner-case server crashes in dynamic shared memory allocation (Thomas Munro, Robert Haas)
Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to « dsa_area could not attach to segment » or « cannot unpin a segment that is not pinned » errors.
Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
Fix possible crash
when pg_identify_object_as_address()
is given
invalid input (Álvaro Herrera)
Fix possible « could not access status of transaction »
failures in txid_status()
(Thomas Munro)
Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
Fix handling of lc_time
settings that imply an
encoding different from the database's encoding (Juan José
Santamaría Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
Fix incorrect operator_precedence_warning
checks
involving unary minus operators (Rikard Falkeborn)
Disallow NaN
as a value for floating-point server
parameters (Tom Lane)
Rearrange REINDEX
processing to avoid assertion
failures when reindexing individual indexes
of pg_class
(Andres Freund, Tom Lane)
Fix planner assertion failure for parameterized dummy paths (Tom Lane)
Insert correct test function in the result
of SnapBuildInitialSnapshot()
(Antonin Houska)
No core code cares about this, but some extensions do.
Fix intermittent « could not reattach to shared memory » session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation
of SET
(but
not variable
=
DEFAULTSET
) in ecpg programs,
producing syntactically invalid output that the server would reject.
Additionally, in a variable
TO
DEFAULTDROP TYPE
or DROP
DOMAIN
command that listed multiple type names, only the
first type name was actually processed.
Sync ecpg's syntax for CREATE
TABLE AS
with the server's (Daisuke Higuchi)
Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
Avoid crash in contrib/postgres_fdw
when a
query using remote grouping or aggregation has
a SELECT
-list item that is an uncorrelated
sub-select, outer reference, or parameter symbol (Tom Lane)
Avoid crash in contrib/vacuumlo
if
an lo_unlink()
call failed (Tom Lane)
Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that
caused it to output an incorrect year-2440 transition in
the Africa/Casablanca
zone, and adds support
for zic's new -r
option.
Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT
is now a backward-compatibility link
to Etc/UTC
, instead of being a separate zone that
generates the abbreviation UCT
, which nowadays is
typically a typo. PostgreSQL will still
accept UCT
as an input zone abbreviation, but it
won't output it.