Release date: 2016-02-11
This release contains a variety of fixes from 9.5.0. For information about new features in the 9.5 major release, see Section E.12.
A dump/restore is not required for those running 9.5.X.
Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)
Fix an oversight that caused hash joins to miss joining to some tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)
Avoid pushdown of HAVING clauses when grouping sets are used (Andrew Gierth)
Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter Geoghegan)
Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
Fix improper quoting of domain constraint names in pg_dump (Elvis Pranskevichus)
Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
Suppress useless warning message when pg_receivexlog connects to a pre-9.4 server (Marco Nenciarini)
Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
hstore_to_json_loose()'s test for whether
an hstore value can be converted to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)
Fix ill-advised restriction of NAMEDATALEN to be less than 256 (Robert Haas, Tom Lane)
Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable files from one build to the next.
Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.