Release date: 2023-05-11
This release contains a variety of fixes from 11.19. For information about new features in major release 11, see Section E.21.
The PostgreSQL community will stop releasing updates for the 11.X release series in November 2023. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Section E.7.
Prevent CREATE SCHEMA
from defeating changes
in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the
prevailing search_path
, as well as those in the
newly-created schema, would be visible even within a called
function or script that attempted to set a
secure search_path
. This could allow any user
having permission to create a schema to hijack the privileges of a
security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455)
Avoid crash when the new schema name is omitted
in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema
name defaulting to owner_name
owner_name
. However
some code paths expected the schema name to be present and would
fail.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible
modifications of composite types if they are stored in any table
columns. (Perhaps that will be allowed someday, but it hasn't
happened yet; the locking implications of rewriting many tables are
daunting.) We overlooked the possibility that an index might
contain a composite type that doesn't also appear in its table.
Ensure that COPY TO
from an RLS-enabled parent
table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children
it may have. However, if row-level security was enabled on the table
then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array
(Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function
(Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of
serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in
which boolcol
is NULL. Also, the rather unlikely
case of partitioning on NOT boolcol
was handled
incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and
parallel_leader_participation
= off
(which is not the default).
Don't balance vacuum cost delay when a table has a
per-relation vacuum_cost_delay
setting of zero
(Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is
processing a table with a
per-relation vacuum_cost_delay
setting, but this
was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1,
...) = (SELECT ...)
with a partitioned target table could
result in failure if any child table is dissimilar from the parent
(for example, different physical column order).
This typically manifested as failure of consistency checks in the
executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a
multi-row INSERT ... VALUES
query on a view that
has a DO ALSO INSERT ... SELECT
rule (Dean
Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions
(Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could
crash if the subquery wasn't explicitly marked
with LATERAL
. Arrange to do that implicitly when
necessary.
When decompiling a rule or SQL function body
containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias
for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed” confused the
safe-snapshot optimization for SERIALIZABLE READ
ONLY
transactions. The optimization was unnecessarily
skipped in some cases. In other cases an assertion failure occurred
(but there was no problem in non-assert builds).
Avoid leaking cache callback slots in
the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option
failed if the table contained such columns.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings
in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record
in log_newpage_range()
when the last few pages
in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix possible data corruption in ecpg
programs built with the -C ORACLE
option
(Kyotaro Horiguchi)
When ecpg_get_data()
is called
with varcharsize
set to zero, it could write a
terminating zero character into the last byte of the preceding
field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to
the enum, they are typically different after a dump and restore,
meaning that rows often need to go into a different partition than
they were in originally. Users can work around that by specifying
the --load-via-partition-root
option; but since
there is very little chance of success without that,
teach pg_dump to apply it automatically
to such tables.
Also, fix pg_restore to not try
to TRUNCATE
target tables before restoring into
them when --load-via-partition-root
mode is used.
This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if
the Python value to be transformed isn't a mapping (Dmitry Dolgov,
Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Fix misbehavior in contrib/pg_trgm
with an
unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable;
the regex compiler recognizes that and produces an empty NFA graph.
Attempting to optimize such a graph into a pg_trgm GIN or GiST index
qualification resulted in accessing off the end of a work array,
possibly leading to crashes.
Use the --strip-unneeded
option when stripping
static libraries with
GNU-compatible strip (Tom Lane)
Previously, make install-strip
used
the -x
option in this case. This change avoids
misbehavior of llvm-strip, and gives
slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation
without a local installation of the DocBook DTD files.
Formerly xsltproc could download those
files on-the-fly from sourceforge.net; but sourceforge.net now
permits only HTTPS access, and no common version
of xsltproc supports that. Hence, remove
the bits of our documentation suggesting that that's possible or
useful, and instead
add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the
temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build
directory. With the previous coding, a PGXS build would try to place
it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.