76
Appendix E. Release Notes
This release contains a variety of fixes from 9.2.10. For information about new features in the 9.2
major release, see Section E.38.
E.27.1. Migration to Version 9.2.11
Adump/restore is not required for those running 9.2.X.
However, if you use
contrib/citext
’s
regexp_matches()
functions, see the changelog entry
below about that.
Also, if you are upgrading from a version earlier than 9.2.10, see Section E.28.
E.27.2. Changes
•
Avoid possible crash when client disconnects just before the authentication timeout expires
(Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state
would be freed twice, typically causing a crash and hence denial of service to other sessions.
Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat
consistently, hence treat as security issue. (CVE-2015-3165)
•
Improve detection of system-call failures (Noah Misch)
Our replacement implementation of
snprintf()
failed to check for errors reported by the under-
lying system library calls; the main case that might be missed is out-of-memory situations. In the
worst case this might lead to information exposure, due to our codeassuming thata buffer had been
overwritten when it hadn’t been. Also, there were a few places in which security-relevant calls of
other system library functions did not check for failure.
It remains possible that some calls of the
*
printf()
family of functions are vulnerable to infor-
mation disclosure if an out-of-memory error occurs atjust the wrong time. We judge the risk to not
be large, but will continue analysis in this area. (CVE-2015-3166)
•
In
contrib/pgcrypto
, uniformly report decryption failures as “Wrong key or corrupt data”
(Noah Misch)
Previously, somecases of decryptionwith anincorrectkey couldreport other error message texts. It
has been shown that such variance in error reports can aid attackers in recovering keys from other
systems. While it’s unknown whether
pgcrypto
’s specific behaviors are likewise exploitable, it
seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167)
•
Fix incorrect declaration of
contrib/citext
’s
regexp_matches()
functions (Tom Lane)
These functions should return
setof text[]
,like the core functions they are wrappers for; but
theywere incorrectly declared as returning just
text[]
.This mistake hadtwo results:first, if there
was no match you got a scalar null result, whereas what you should get is anempty set (zero rows).
Second, the
g
flag was effectively ignored, since you would get only one result array even if there
were multiple matches.
While the latter behavior is clearly a bug, there might be applications depending on the former
behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5.
In pre-9.5 branches, the old behavior exists in version 1.0 of the
citext
extension, while we have
provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix
in pre-9.5 branches, execute
ALTER EXTENSION citext UPDATE TO ’1.1’
in each database
in which
citext
is installed. (You can also “update” back to 1.0 if you need to undo that.) Be
2153
71
Appendix E. Release Notes
aware that either update direction will require dropping and recreating any views or rules that use
citext
’s
regexp_matches()
functions.
•
Fix incorrect checking of deferredexclusion constraints after a HOT update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no
indexedcolumns change and the row can be stored backonto the same table page) later in the same
transaction, theexclusion constraintwouldbe reported as violated whenthe checkfinallyoccurred,
even if the row(s) the new row originallyconflicted with had been deleted.
•
Fix planning of star-schema-style queries (Tom Lane)
Sometimes, efficient scanning of a large table requires that index parameters be provided from
more than one other table (commonly, dimension tables whose keys are needed to index a large
fact table). The planner should be able to find such plans, but an overly restrictive search heuristic
prevented it.
•
Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)
This oversight in the planner has been observed to cause “could not find RelOptInfo for given
relids” errors, but it seems possible that sometimes an incorrect query plan might get past that
consistency check and result in silently-wrong query output.
•
Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)
Previously, if textuallyidentical non-strict subexpressions were usedboth above and belowan outer
join, the planner might try to re-use the value computed below the join, which would be incorrect
because the executor would force the value to NULL in case of an unmatched outer row.
•
Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to “failed to join all relations together” errors in queries in-
volving
LATERAL
,and that might happen in other cases as well.
•
Fix possible deadlock at startup when
max_prepared_transactions
is too small (Heikki Lin-
nakangas)
•
Don’t archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)
•
Avoid “cannot GetMultiXactIdMembers() during recovery” error (Álvaro Herrera)
•
Recursively
fsync()
the data directory after a crash (Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The second crash would have to be
asystem-level crash, not just a database crash, for there to be a problem.)
•
Fix autovacuum launcher’s possible failure to shut down, if an error occurs after it receives
SIGTERM (Álvaro Herrera)
•
Cope with unexpected signals in
LockBufferForCleanup()
(Andres Freund)
This oversight could result in spurious errors about “multiple backends attempting to wait for pin-
count 1”.
•
Fixcrashwhendoing
COPY IN
toa table with check constraints that containwhole-row references
(Tom Lane)
The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so
back-patch those branches as well.
•
Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was
read-only so far as the user is concerned (Andres Freund)
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page
pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous
2154
85
Appendix E. Release Notes
replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing
when using synchronous replication; this will fix that problem as well.
•
Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)
•
Fix possible failure during hash index bucket split, if other processes are modifying the index
concurrently (Tom Lane)
•
Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE
executes indexexpressions many times; if there are slow functions insuch anexpression,
it’s desirable to be able to cancel the
ANALYZE
before that loop finishes.
•
Ensure
tableoid
of a foreigntable is reportedcorrectlywhen a
READ COMMITTED
recheckoccurs
after locking rows in
SELECT FOR UPDATE
,
UPDATE
,or
DELETE
(Etsuro Fujita)
•
Add the name of the target server to object description strings for foreign-server user mappings
(Álvaro Herrera)
•
Recommend setting
include_realm
to 1 when using Kerberos/GSSAPI/SSPI authentication
(Stephen Frost)
Without this, identically-named users from different realms cannot be distinguished. For the mo-
ment this is only a documentation change, but it will become the default setting in PostgreSQL
9.5.
•
Remove code for matching IPv4
pg_hba.conf
entries to IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux kernels of the time would
report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally
brokenin 9.0. The lack of any field complaints since then shows that it’s notneeded anymore. Now
we have reports that the broken code causes crashes on some systems, so let’s just remove it rather
than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive
change in the effective meaning of IPv4
pg_hba.conf
entries, which does not seem like a good
thing to do in minor releases.)
•
Report WAL flush, not insert, position in
IDENTIFY_SYSTEM
replication command (Heikki Lin-
nakangas)
This avoids a possible startup failure in pg_receivexlog.
•
While shutting down service on Windows, periodically send status updates to the Service Con-
trol Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for
shutdown (Krystian Bigaj)
•
Reduce risk of network deadlockwhen using libpq’s non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it’s important to drain the input buffer every so often, in
case the server has sent enough response data to cause it to block on output. (A typical scenario is
that the server is sending a stream of NOTICE messages during
COPY FROM STDIN
.) This worked
properly in the normal blocking mode, but not so much in non-blocking mode. We’ve modified
libpq to opportunistically drain input when it can, but a full defense against this problem requires
application cooperation: the application should watch for socket read-ready as well as write-ready
conditions, and be sure to call
PQconsumeInput()
upon read-ready.
•
In libpq, fix misparsing of empty values inURI connection strings (Thomas Fanghaenel)
•
Fix array handling in ecpg (Michael Meskes)
•
Fix psql to sanely handle URIs and conninfo strings as the first parameter to
\connect
(David
Fetter, Andrew Dunstan, Álvaro Herrera)
2155
72
Appendix E. Release Notes
This syntax has been accepted (but undocumented) for a long time, but previously some param-
eters might be taken from the old connection instead of the given string, which was agreed to be
undesirable.
•
Suppress incorrect complaints from psql on some platforms that it failed to write
~/.psql_history
at exit (Tom Lane)
This misbehavior was caused by a workaround for a bugin very old (pre-2006) versions of libedit.
We fixed it by removing the workaround, which will cause a similar failure to appear for anyone
still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
•
Fix pg_dump’s rule for deciding which casts are system-provided casts that should not be dumped
(Tom Lane)
•
In pg_dump, fix failure to honor
-Z
compression level option together with
-Fd
(Michael Paquier)
•
Make pg_dump consider foreign key relationships between extension configuration tables while
choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)
This oversight could result in producing dumps that fail to reload because foreign key constraints
are transiently violated.
•
Fix dumping of views that are just
VALUES(...)
but have column aliases (Tom Lane)
•
In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about missing WAL history
files.
•
In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce
Momjian)
•
In pg_upgrade, quote directory paths properly in the generated
delete_old_cluster
script
(Bruce Momjian)
•
In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)
This oversight couldcause missing-clog-file errorsfor tables within the
postgres
and
template1
databases.
•
Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don’t fail
when run by an administrator (Muhammad Asif Naeem)
•
Improve handling of
readdir()
failures when scanning directories in initdb and pg_basebackup
(Marco Nenciarini)
•
Fix failure in pg_receivexlog (Andres Freund)
Apatch merge mistake in 9.2.10 led to “could not create archive status file” errors.
•
Fix slow sorting algorithm in
contrib/intarray
(Tom Lane)
•
Fix compile failure on Sparc V8 machines (Rob Rowan)
•
Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and
Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for
the America/Adak zone (HST/HDT not HAST/HADT).
E.28. Release 9.2.10
ReleaseDate: 2015-02-05
2156
70
Appendix E. Release Notes
This release contains avariety of fixes from 9.2.9. For information about new features in the 9.2major
release, see Section E.38.
E.28.1. Migration to Version 9.2.10
Adump/restore is not required for those running 9.2.X.
However, if you are a Windows user and are using the “Norwegian (Bokmål)” locale, manual ac-
tion is needed after the upgrade to replace any “Norwegian (Bokmål)_Norway” locale names stored
in PostgreSQL system catalogs with the plain-ASCII alias “Norwegian_Norway”. For details see
http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale
Also, if you are upgrading from a version earlier than 9.2.9, see Section E.29.
E.28.2. Changes
•
Fix buffer overruns in
to_char()
(Bruce Momjian)
When
to_char()
processes a numeric formatting template calling for a large number of digits,
PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting
template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We
have not ruled out the possibility of attacks that lead to privilege escalation, though they seem
unlikely. (CVE-2015-0241)
•
Fix buffer overrun in replacement
*
printf()
functions (Tom Lane)
PostgreSQL includes a replacement implementation of
printf
and related functions. This code
will overrun a stack buffer when formatting a floating point number (conversion specifiers
e
,
E
,
f
,
F
,
g
or
G
)with requested precision greater than about 500. This will crash the server, and we
have not ruled out the possibility of attacks that lead to privilege escalation. A database user can
trigger such abuffer overrunthrough the
to_char()
SQL function. While that is the only affected
core PostgreSQL functionality, extension modules that use printf-family functions may be at risk
as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation
of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)
•
Fix buffer overruns in
contrib/pgcrypto
(Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the
pgcrypto
module permitted stack buffer overruns and
improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash
the server, and we have not ruled out the possibility of attacks that lead to privilege escalation.
(CVE-2015-0243)
•
Fixpossible loss of frontend/backend protocolsynchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the
client, it could lose synchronization and incorrectly try to interpret part of the message’s data as a
new protocol message. An attacker able to submitcraftedbinarydata within a command parameter
might succeed in injecting his own SQL commands this way. Statement timeout and query can-
cellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are
applications that use a timeout and also submit arbitrary user-crafted data as binary query param-
2157
Documents you may be interested
Documents you may be interested