E.2. Release 9.6.23

Disallow SSL renegotiation more completely (Michael Paquier)

SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.

Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE (Tom Lane)

This should be disallowed, just as FOR UPDATE with a plain GROUP BY is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.

Reject cases where a query in WITH rewrites to just NOTIFY (Tom Lane)

Such cases previously crashed.

In numeric multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)

Fix corner-case errors and loss of precision when raising numeric values to very large powers (Dean Rasheed)

Fix division-by-zero failure in to_char() with EEEE format and a numeric input value less than 10^(-1001) (Dean Rasheed)

Fix pg_size_pretty(bigint) to round negative values consistently with the way it rounds positive ones (and consistently with the numeric version) (Dean Rasheed, David Rowley)

Make pg_filenode_relation(0, 0) return NULL rather than failing (Justin Pryzby)

Make ALTER EXTENSION lock the extension when adding or removing a member object (Tom Lane)

The previous coding allowed ALTER EXTENSION ADD/DROP to occur concurrently with DROP EXTENSION, leading to a crash or corrupt catalog entries.

Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY (Tom Lane, Bharath Rupireddy)

This command failed on materialized views containing columns with certain names, notably mv and newdata.

Fix PREPARE TRANSACTION to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)

A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION.

Fix misbehavior of DROP OWNED BY when the target role is listed more than once in an RLS policy (Tom Lane)

Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY (Tom Lane)

Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY.

Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)

This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.

Avoid corrupting the plan cache entry when CREATE DOMAIN or ALTER DOMAIN appears in a cached plan (Tom Lane)

Make pg_settings.pending_restart show as true when the pertinent entry in postgresql.conf has been removed (Álvaro Herrera)

pending_restart correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.

Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)

Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.

Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)

File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.

Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)

Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)

Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)

Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE (Tom Lane)

Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)

It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.

Fix latent crash in sorting code (Ronan Dunklau)

One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.

Prevent infinite loops in SP-GiST index insertion (Tom Lane)

In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.

Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)

Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO clause specified STRICT, even though it didn't (Tom Lane)

Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)

In ecpg, allow the numeric value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)

In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)

An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.

Avoid « invalid creation date in header » warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)

Make pg_upgrade carry forward the old installation's oldestXID value (Bertrand Drouvot)

Previously, the new installation's oldestXID was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age could suffer unwanted forced shutdowns soon after an upgrade.

Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)

A script file is now produced containing the ALTER EXTENSION UPDATE commands needed to bring extensions up to the versions that are considered default in the new installation.

In contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)

While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.

In contrib/pgcrypto, avoid symbol name conflicts with OpenSSL (Tom Lane)

Operations using SHA224 hashing could show failures under valgrind checking. It appears that this is only a stomp of alignment-padding bytes and so has no real consequences, but let's fix it to be sure.

Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)

Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's « dry-run » mode. Remove memory leaks in isolationtester itself.

Reduce overhead of cache-clobber testing (Tom Lane)

Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)

Make printf("%s", NULL) print (null) instead of crashing (Tom Lane)

This should improve server robustness in corner cases, and it syncs our printf implementation with common libraries.

Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED record (Simon Riggs)

Clarify error messages referring to « non-negative » values (Bharath Rupireddy)

Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r library (Adrian Ho, Tom Lane)

If there is no libldap_r library, we now silently assume that libldap is thread-safe.

Add new make targets world-bin and install-world-bin (Andrew Dunstan)

These are the same as world and install-world respectively, except that they do not build or install the documentation.

Fix make rule for TAP tests (prove_installcheck) to work in PGXS usage (Andrew Dunstan)

Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)

The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.

Enable building with GSSAPI on MSVC (Michael Paquier)

Fix various incompatibilities with modern Kerberos builds.

In MSVC builds, include --with-pgport in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)