- Guard against stack overflows in json parsing
> If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service.
- Fix contrib/pgcrypto to detect and report too-short crypt() salts
> Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely.
- Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails
> A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
- Fix possible deadlock during WAL insertion when commit_delay is set
- Ensure all relations referred to by an updatable view are properly locked during an update statement
- Fix insertion of relations into the relation cache "init file"
> An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
- Avoid O(N^2) behavior when inserting many tuples into a SPI query result
- Improve LISTEN startup time when there are many unread notifications
- Fix performance problem when a session alters large numbers of foreign key constraints
> This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
- Disable SSL renegotiation by default
> While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
- Lower the minimum values of the *_freeze_max_age parameters
> This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
- Limit the maximum value of wal_buffers to 2GB to avoid server crashes
- Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive
- Fix rare internal overflow in multiplication of numeric values
- Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int
- Fix handling of DOW and DOY in datetime input
> These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
- Add more query-cancel checks to regular expression matching
- Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching
> Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
- Fix potential infinite loop in regular expression execution
> A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
- In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length
- Fix low-memory failures in regular expression compilation
- Fix low-probability memory leak during regular expression execution
- Fix rare low-memory failure in lock cleanup during transaction abort
- Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings
- Fix very-low-probability stack overrun in qsort
- Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings
- Fix assorted planner bugs
> These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
- Improve planner's performance for UPDATE/DELETE on large inheritance sets -
- Ensure standby promotion trigger files are removed at postmaster startup
- This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
- During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file
> This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
- Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown
> Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
- Fix postmaster's handling of a startup-process crash during crash recovery
> If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
- Make emergency autovacuuming for multixact wraparound more robust
- Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals
- Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount
- Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests
- Allow all-zeroes pages in GIN indexes to be reused
> Such a page might be left behind after a crash.
- Fix handling of all-zeroes pages in SP-GiST indexes
> VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
- Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation
- Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages
- Fix PL/Perl to handle non-ASCII error message texts correctly
- Fix PL/Python crash when returning the string representation of a record result
- Fix some places in PL/Tcl that neglected to check for failure of malloc() calls
- In contrib/isn, fix output of ISBN-13 numbers that begin with 979
> EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
- Improve contrib/pg_stat_statements' handling of query-text garbage collection
> The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
- Improve contrib/postgres_fdw's handling of collation-related decisions
> The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
- Improve libpq's handling of out-of-memory conditions
- Fix memory leaks and missing out-of-memory checks in ecpg
- Fix psql's code for locale-aware formatting of numeric output
> The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
- Prevent crash in psql's \c command when there is no current connection
- Make pg_dump handle inherited NOT VALID check constraints correctly
- Fix selection of default zlib compression level in pg_dump's directory output format
- Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable
- Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace
- Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type
> When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
- Fix pg_dump to dump shell types
> Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
- Fix assorted minor memory leaks in pg_dump and other client-side programs
- Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck
- Fix spinlock assembly code for Alpha hardware
- Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler
> Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
- On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use
- On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime
> Perl relies on this ability in 5.8.0 and later.
- Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs
- Use librt for sched_yield() when necessary, which it is on some Solaris versions
- Translate encoding UHC as Windows code page 949
> This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
- On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages
- Fix postmaster startup failure due to not copying setlocale()'s return value
> This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
- Fix Windows install.bat script to handle target directory names that contain spaces
- Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM
- Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.