Release Date: 2015-10-08
This release contains a variety of fixes from 9.4.4. For information about new features in the 9.4 major release, see Section E.9.
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.4, see Section E.5.
Guard against stack overflows in json parsing (Oskari Saarenmaa)
If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)
Fix contrib/pgcrypto to detect and report
crypt() salts (Josh Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)
Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)
Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
Improve LISTEN startup time when there are many unread notifications (Matt Newell)
Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
Add more query-cancel checks to regular expression matching (Tom Lane)
Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
Fix low-probability memory leak during regular expression execution (Tom Lane)
Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
Fix very-low-probability stack overrun in
qsort (Tom Lane)
Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)
Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)
Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
Fix some places in PL/Tcl that neglected to check for
malloc() calls (Michael Paquier, Álvaro
In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)
The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
Prevent crash in psql's \c command when there is no current connection (Noah Misch)
Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)
Fix spinlock assembly code for Alpha hardware (Tom Lane)
Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
Use librt for
sched_yield() when necessary,
which it is on some Solaris versions (Oskari Saarenmaa)
Translate encoding UHC as Windows code page 949 (Noah Misch)
This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)
Fix postmaster startup failure due to not
setlocale()'s return value (Noah Misch)
This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.