Release date: 2024-11-14
This release contains a variety of fixes from 12.20. For information about new features in major release 12, see Section E.23.
This is expected to be the last PostgreSQL release in the 12.X series. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.18, see Section E.5.
Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) §
If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) §
An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
Fix unintended interactions between SET SESSION
AUTHORIZATION
and SET ROLE
(Tom Lane)
§
§
The SQL standard mandates that SET SESSION
AUTHORIZATION
have a side-effect of doing SET
ROLE NONE
. Our implementation of that was flawed,
creating more interaction between the two settings than intended.
Notably, rolling back a transaction that had done SET
SESSION AUTHORIZATION
would revert ROLE
to NONE
even if that had not been the previous
state, so that the effective user ID might now be different from
what it had been before the transaction. Transiently
setting session_authorization
in a
function SET
clause had a similar effect.
A related bug was that if a parallel worker
inspected current_setting('role')
, it
saw none
even when it should see something else.
The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) § § § §
The ability to manipulate process environment variables such
as PATH
gives an attacker opportunities to
execute arbitrary code. Therefore, « trusted » PLs must
not offer the ability to do that. To fix plperl
,
replace %ENV
with a tied hash that rejects any
modification attempt with a warning.
Untrusted plperlu
retains the ability to change
the environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
Disallow ALTER TABLE ATTACH PARTITION
if the
table to be attached has a foreign key referencing the partitioned
table (Álvaro Herrera)
§
§
This arrangement is not supported, and other ways of creating it already fail.
Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han) § §
Such plans could produce incorrect results.
Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov) §
Fix assertion failure or confusing error message for COPY
(
, when
the query
) TO ...query
is rewritten by a DO
INSTEAD NOTIFY
rule (Tender Wang, Tom Lane)
§
Fix detection of skewed data during parallel hash join (Thomas Munro) §
After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
Fix race condition in committing a serializable transaction (Heikki Linnakangas) §
Mis-processing of a recently committed transaction could lead to an assertion failure or a « could not access status of transaction » error.
Fix race condition in COMMIT PREPARED
that resulted in orphaned 2PC files (wuchengwen)
§
A concurrent PREPARE TRANSACTION
could
cause COMMIT PREPARED
to not remove the on-disk
two-phase state file for the completed transaction. There was no
immediate ill effect, but a subsequent crash-and-recovery could fail
with « could not access status of transaction »,
requiring manual removal of the orphaned file to restore service.
Avoid invalid memory accesses after skipping an invalid toast index
during VACUUM FULL
(Tender Wang)
§
A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
Fix ways in which an « in place » catalog update could be lost (Noah Misch) § § § § § § §
Normal row updates write a new version of the row to preserve
rollback-ability of the transaction. However, certain system
catalog updates are intentionally non-transactional and are done
with an in-place update of the row. These patches fix race
conditions that could cause the effects of an in-place update to be
lost. As an example, it was possible to forget having set
pg_class
.relhasindex
to true, preventing updates of the new index and thus causing index
corruption.
Reset catalog caches at end of recovery (Noah Misch) §
This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane) § §
This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer) §
Use xmlXPathCtxtCompile()
rather
than xmlXPathCompile()
, because the latter
fails to protect itself against recursion-to-stack-overflow
in libxml2 releases before 2.13.4.
Fix « failed to find plan for subquery/CTE » errors
in EXPLAIN
(Richard Guo, Tom Lane)
§
This case arose while trying to print references to fields of a
RECORD-type output of a subquery when the subquery has been
optimized out of the plan altogether (which is possible at least in
the case that it has a constant-false WHERE
condition). Nothing remains in the plan to identify the original
field names, so fall back to
printing f
for
the N
N
'th record column. (That's actually
the right thing anyway, if the record output arose from
a ROW()
constructor.)
Disallow a USING
clause when altering the type of
a generated column (Peter Eisentraut)
§
A generated column already has an expression specifying the column
contents, so including USING
doesn't make sense.
Ignore not-yet-defined Portals in
the pg_cursors
view (Tom Lane)
§
It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
Reduce memory consumption of logical decoding (Masahiko Sawada) §
Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson) §
A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
Avoid « wrong tuple length » failure when dropping a database with many ACL (permission) entries (Ayush Tiwari) § §
Allow adjusting the session_authorization
and role
settings in parallel workers (Tom Lane)
§
Our code intends to allow modifiable server settings to be set by
function SET
clauses, but not otherwise within a
parallel worker. SET
clauses failed for these
two settings, though.
Fix behavior of stable functions called from
a CALL
statement's argument list, when
the CALL
is within a
PL/pgSQL EXCEPTION
block (Tom Lane)
§
As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
Parse libpq's keepalives
connection option in the same way as other integer-valued options
(Yuto Sasaki)
§
The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov) §
It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas) §
This was the intention to begin with, but a coding error caused the source history to always print as empty.
Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart) § §
Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
Allow inspection of sequence relations in relevant functions
of contrib/pageinspect
and contrib/pgstattuple
(Nathan Bossart, Ayush
Vatsa)
§
§
This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy) §
When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
Fix a few places that assumed that process start time (represented
as a time_t
) will fit into a long
value
(Max Johnson, Nathan Bossart)
§
On platforms where long
is 32 bits (notably Windows),
this coding would fail after Y2038. Most of the failures appear
only cosmetic, but notably pg_ctl start
would
hang.
Prevent « nothing provides perl(PostgreSQL::Test::Utils) » failures while building RPM packages of PostgreSQL (Noah Misch) §
Fix building with Strawberry Perl on Windows (Andrew Dunstan) §
Update time zone data files to tzdata release 2024b (Tom Lane) § §
This tzdata release changes the old
System-V-compatibility zone names to duplicate the corresponding
geographic zones; for example PST8PDT
is now an
alias for America/Los_Angeles
. The main visible
consequence is that for timestamps before the introduction of
standardized time zones, the zone is considered to represent local
mean solar time for the named location. For example,
in PST8PDT
, timestamptz
input such
as 1801-01-01 00:00
would previously have been
rendered as 1801-01-01 00:00:00-08
, but now it is
rendered as 1801-01-01 00:00:00-07:52:58
.
Also, historical corrections for Mexico, Mongolia, and Portugal.
Notably, Asia/Choibalsan
is now an alias
for Asia/Ulaanbaatar
rather than being a separate
zone, mainly because the differences between those zones were found to
be based on untrustworthy data.