Release date: 2023-02-09
This release contains a variety of fixes from 12.13. For information about new features in major release 12, see Section E.18.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Section E.8.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862)
      Allow REPLICA IDENTITY
      to be set on an index that's not (yet) valid (Tom Lane)
     
      When pg_dump dumps a partitioned index
      that's marked REPLICA IDENTITY, it generates a
      command sequence that applies REPLICA IDENTITY
      before the partitioned index has been marked valid, causing restore
      to fail.  There seems no very good reason to prohibit doing it in
      that order, so allow it.  The marking will have no effect anyway
      until the index becomes valid.
     
      Fix handling of DEFAULT markers in rules that
      perform an INSERT from a
      multi-row VALUES list (Dean Rasheed)
     
      In some cases a DEFAULT marker would not get
      replaced with the proper default-value expression, leading to
      an “unrecognized node type” error.
     
      Reject uses of undefined variables in jsonpath
      existence checks (Alexander Korotkov, David G. Johnston)
     
      While jsonpath match operators threw an error for an
      undefined variable in the path pattern, the existence operators
      silently treated it as a match.
     
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
      Honor non-default settings
      of checkpoint_completion_target
      (Bharath Rupireddy)
     
      Internal state was not updated after a change
      in checkpoint_completion_target, possibly
      resulting in performing checkpoint I/O faster or slower than
      desired, especially if that setting was changed on-the-fly.
     
      Log the correct ending timestamp
      in recovery_target_xid mode (Tom Lane)
     
      When ending recovery based on the recovery_target_xid
      setting with recovery_target_inclusive
      = off, we printed an incorrect timestamp (always
      2000-01-01) in the “recovery stopping before
      ... transaction” log message.
     
      Prevent “wrong tuple length” failure
      at the end of VACUUM (Ashwin Agrawal, Junfeng Yang)
     
      This occurred if VACUUM needed to update the
      current database's datfrozenxid value and
      the database has so many granted privileges that
      its datacl value has been pushed
      out-of-line.
     
      In extended query protocol, avoid an immediate commit
      after ANALYZE if we're running a pipeline
      (Tom Lane)
     
      If there's not been an explicit BEGIN
      TRANSACTION, ANALYZE would take it on
      itself to commit, which should not happen within a pipelined series
      of commands.
     
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query” errors.
      Limit the amount of cleanup work done
      by get_actual_variable_range (Simon Riggs)
     
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
      The previous coding leaked the connection object.  In background
      code paths that's pretty harmless because the calling process will
      give up and exit.  But in commands such as CREATE
      SUBSCRIPTION, such a failure resulted in a small
      session-lifespan memory leak.
     
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
      Insufficiently-aggressive cleanup of the KnownAssignedXids array
      could lead to poor performance, particularly
      when max_connections is set to a large value on
      the standby.
     
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
      Prevent unsafe usage of a relation cache
      entry's rd_smgr pointer (Amul Sul)
     
      Remove various assumptions that rd_smgr
      would stay valid over a series of operations, by wrapping all uses
      of it in a function that will recompute it if needed.  This prevents
      bugs occurring when an unexpected cache flush occurs partway through
      such a series.
     
      Fix latent buffer-overrun problem in WaitEventSet
      logic (Thomas Munro)
     
      The epoll-based
      and kqueue-based implementations could ask the
      kernel for too many events if the size of their internal buffer was
      different from the size of the caller's output buffer.  That case is
      not known to occur in released PostgreSQL
      versions, but this error is a hazard for external modules and future
      bug fixes.
     
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
      Fix tab completion of ALTER
      FUNCTION/PROCEDURE/ROUTINE ... SET
      SCHEMA (Dean Rasheed)
     
      Fix faulty assertion in contrib/postgres_fdw
      (Etsuro Fujita)
     
      Fix contrib/seg to not crash or print garbage
      if an input number has more than 127 digits (Tom Lane)
     
      In contrib/sepgsql, avoid deprecation warnings
      with recent libselinux (Michael Paquier)
     
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
      A previous patch supposed that all platforms of interest
      have snprintf(), but MSVC 2013 isn't quite
      there yet.  Revert to using sprintf() on that
      platform.
     
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.