Release date: 2017-11-09
This release contains a variety of fixes from 9.5.9. For information about new features in the 9.5 major release, see Section E.20.
A dump/restore is not required for those running 9.5.X.
However, if you use BRIN indexes, see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 9.5.8, see Section E.12.
Ensure that INSERT ... ON CONFLICT DO UPDATE
checks
table permissions and RLS policies in all cases (Dean Rasheed)
The update path of INSERT ... ON CONFLICT DO UPDATE
requires SELECT
permission on the columns of the
arbiter index, but it failed to check for that in the case of an
arbiter specified by constraint name.
In addition, for a table with row level security enabled, it failed to
check updated rows against the table's SELECT
policies (regardless of how the arbiter index was specified).
(CVE-2017-15099)
Fix crash due to rowtype mismatch
in json{b}_populate_recordset()
(Michael Paquier, Tom Lane)
These functions used the result rowtype specified in the FROM
... AS
clause without checking that it matched the actual
rowtype of the supplied tuple value. If it didn't, that would usually
result in a crash, though disclosure of server memory contents seems
possible as well.
(CVE-2017-15098)
Fix sample server-start scripts to become $PGUSER
before opening $PGLOG
(Noah Misch)
Previously, the postmaster log file was opened while still running as
root. The database owner could therefore mount an attack against
another system user by making $PGLOG
be a symbolic
link to some other file, which would then become corrupted by appending
log messages.
By default, these scripts are not installed anywhere. Users who have
made use of them will need to manually recopy them, or apply the same
changes to their modified versions. If the
existing $PGLOG
file is root-owned, it will need to
be removed or renamed out of the way before restarting the server with
the corrected script.
(CVE-2017-12172)
Fix BRIN index summarization to handle concurrent table extension correctly (Álvaro Herrera)
Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.
Fix possible failures during concurrent updates of a BRIN index (Tom Lane)
These race conditions could result in errors like “invalid index offnum” or “inconsistent range map”.
Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)
Fix json_build_array()
,
json_build_object()
, and their jsonb
equivalents to handle explicit VARIADIC
arguments
correctly (Michael Paquier)
Properly reject attempts to convert infinite float values to
type numeric
(Tom Lane, KaiGai Kohei)
Previously the behavior was platform-dependent.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Record proper dependencies when a view or rule
contains FieldSelect
or FieldStore
expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data
type DROP
to go through when it ought to fail,
thereby causing later uses of the view or rule to get errors.
This patch does not do anything to protect existing views/rules,
only ones created in the future.
Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.
Correctly ignore RelabelType
expression nodes
when determining relation distinctness (David Rowley)
This allows the intended optimization to occur when a subquery has
a result column of type varchar
.
Fix low-probability loss of NOTIFY
messages due to
XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
Avoid SIGBUS crash on Linux when a DSM memory request exceeds the space available in tmpfs (Thomas Munro)
Prevent low-probability crash in processing of nested trigger firings (Tom Lane)
Allow COPY
's FREEZE
option to
work when the transaction isolation level is REPEATABLE
READ
or higher (Noah Misch)
This case was unintentionally broken by a previous bug fix.
Correctly restore the umask setting when file creation fails
in COPY
or lo_export()
(Peter Eisentraut)
Give a better error message for duplicate column names
in ANALYZE
(Nathan Bossart)
Fix mis-parsing of the last line in a
non-newline-terminated pg_hba.conf
file
(Tom Lane)
Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)
This is particularly helpful on Windows.
Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to
read ~/.pgpass
was treated as a hard error,
but it should just cause that file to not be found. Both v10 and
previous release branches made the same mistake when
reading ~/.pg_service.conf
, though this was less
obvious since that file is not sought unless a service name is
specified.
Fix libpq to guard against integer
overflow in the row count of a PGresult
(Michael Paquier)
Fix ecpg's handling of out-of-scope cursor declarations with pointer or array variables (Michael Meskes)
In ecpglib, correctly handle backslashes in string literals depending
on whether standard_conforming_strings
is set
(Tsunakawa Takayuki)
Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
Fix missing temp-install prerequisites
for check
-like Make targets (Noah Misch)
Some non-default test procedures that are meant to work
like make check
failed to ensure that the temporary
installation was up to date.
Sync our copy of the timezone library with IANA release tzcode2017c (Tom Lane)
This fixes various issues; the only one likely to be user-visible
is that the default DST rules for a POSIX-style zone name, if
no posixrules
file exists in the timezone data
directory, now match current US law rather than what it was a dozen
years ago.
Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.