Release date: 2022-08-11
This release contains a variety of fixes from 13.7. For information about new features in major release 13, see Section E.18.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Section E.11.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) §
This change prevents extension scripts from doing CREATE
OR REPLACE
if there is an existing object that does not
belong to the extension. It also prevents CREATE IF NOT
EXISTS
in the same situation. This prevents a form of
trojan-horse attack in which a hostile database user could become
the owner of an extension object and then modify it to compromise
future uses of the object by other users. As a side benefit, it
also reduces the risk of accidentally replacing objects one did
not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL
records on standby servers
(Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
§
§
§
§
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support « in place » tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera) §
Normally a Postgres tablespace is a symbolic link to a directory on
some other filesystem. This change allows it to just be a plain
directory. While this has no use for separating tables onto
different filesystems, it is a convenient setup for testing.
Moreover, it is necessary to support the CREATE
DATABASE
replay fix, which transiently creates a missing
tablespace as an « in place » tablespace.
Fix permissions checks in CREATE INDEX
(Nathan
Bossart, Noah Misch)
§
The fix for CVE-2022-1552 caused CREATE INDEX
to
apply the table owner's permissions while performing lookups of
operator classes and other objects, where formerly the calling
user's permissions were used. This broke dump/restore scenarios,
because pg_dump issues CREATE
INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit
after CREATE DATABASE
and other commands that
can't run in a transaction block (Tom Lane)
§
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs) §
TransactionIdIsInProgress
could
report false
before the subject transaction is
considered visible, leading to various misbehaviors. The race
condition window is normally very narrow, but use of synchronous
replication makes it much wider, because the wait for a synchronous
replica happens in that window.
Fix queries in which a « whole-row variable » references the result of a function that returns a domain over composite type (Tom Lane) §
Fix « variable not found in subplan target list » planner
error when pulling up a sub-SELECT
that's
referenced in a GROUPING
function (Richard Guo)
§
Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane) § §
Avoid planner core dump with
clauses when
there are MCV-type extended statistics on
the constant
= ANY(array
)array
variable (Tom Lane)
§
§
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to
handle recursion correctly for triggers on partitioned tables
(Álvaro Herrera, Amit Langote)
§
§
In certain cases, a « trigger does not exist » failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
§
Prevent pg_stat_get_subscription()
from
possibly returning an extra row containing garbage values
(Kuntal Ghosh)
§
Ensure that pg_stop_backup()
cleans up session
state properly (Fujii Masao)
§
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
§
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to
an XMLTABLE
or JSON_TABLE
construct (Álvaro Herrera)
§
§
Reject ROW()
expressions and functions
in FROM
that have too many columns (Tom Lane)
§
§
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause
if it could be referenced elsewhere (Tom Lane)
§
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type
have been dropped since the view was made (Tom Lane)
§
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada) §
If CREATE OPERATOR CLASS
results in the implicit
creation of an operator family, that object was not reported to
event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi) §
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of
standby's wal_receiver_timeout
during logical
replication of large transactions (Wang Wei, Amit Kapila)
§
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao) §
Fix memory leak in logical replication subscribers (Hou Zhijie) §
Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie) § §
The replica identity columns have to be re-identified for the child partition.
Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie) § §
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi) §
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez) §
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly
handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
§
§
Fix erroneous assertion checks in shared hashtable management (Thomas Munro) §
Arrange to clean up after commit-time errors
within SPI_commit()
, rather than expecting
callers to do that (Peter Eisentraut, Tom Lane)
§
§
Proper cleanup is complicated and requires use of low-level
facilities, so it's not surprising that no known caller got it
right. This led to misbehaviors when a PL procedure
issued COMMIT
but a failure occurred (such as a
deferred constraint check). To improve matters,
redefine SPI_commit()
as starting a new
transaction, so that it becomes equivalent
to SPI_commit_and_chain()
except that you get
default transaction characteristics instead of preserving the prior
transaction's characteristics. To make this somewhat transparent
API-wise, redefine SPI_start_transaction()
as a
no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so
they will not notice any change. Similar remarks apply
to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Remove misguided SSL key file ownership check in libpq (Tom Lane) §
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane) §
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing « (null) » instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane) §
Certain operations such as EXEC SQL PREPARE
would
crash (rather than reporting an error as expected) if called before
establishing any database connection.
In ecpglib, avoid
redundant newlocale()
calls (Noah Misch)
§
§
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C
(Pavel Stehule)
§
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix possible report of wrong error condition
after clone()
failure
in pg_upgrade
with --clone
option (Justin Pryzby)
§
Fix contrib/pg_stat_statements
to avoid
problems with very large query-text files on 32-bit platforms
(Tom Lane)
§
Ensure that contrib/postgres_fdw
sends
constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
§
Block signals while allocating dynamic shared memory on Linux (Thomas Munro) § § §
This avoids problems when a signal
interrupts posix_fallocate()
.
Detect unexpected EEXIST
error
from shm_open()
(Thomas Munro)
§
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker) §
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane) §