Release date: 2020-11-12
This release contains a variety of fixes from 12.4. For information about new features in major release 12, see Section E.23.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Section E.21.
      Block DECLARE CURSOR ... WITH HOLD and firing of
      deferred triggers within index expressions and materialized view
      queries (Noah Misch)
      §
     
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane) § §
      The -d parameter
      of pg_dump
      and pg_restore, or
      the --maintenance-db parameter of the other
      programs mentioned, can be a “connection string”
      containing multiple connection parameters rather than just a
      database name.  In cases where these programs need to initiate
      additional connections, such as parallel processing or processing of
      multiple databases, the connection string was forgotten and just the
      basic connection parameters (database name, host, port, and
      username) were used for the additional connections.  This could lead
      to connection failures if the connection string included any other
      essential information, such as non-default SSL or GSS parameters.
      Worse, the connection might succeed but not be encrypted as
      intended, or be vulnerable to man-in-the-middle attacks that the
      intended connection parameters would have prevented.
      (CVE-2020-25694)
     
      When psql's \connect
      command re-uses connection parameters, ensure that all
      non-overridden parameters from a previous connection string are
      re-used (Tom Lane)
      §
     
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. (CVE-2020-25694)
      Prevent psql's \gset
      command from modifying specially-treated variables (Noah Misch)
      §
     
      \gset without a prefix would overwrite whatever
      variables the server told it to.  Thus, a compromised server could
      set specially-treated variables such as PROMPT1,
      giving the ability to execute arbitrary shell code in the user's
      session.
     
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. (CVE-2020-25696)
Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch) § §
This rare problem would manifest in later “apparent wraparound” or “could not access status of transaction” errors.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro) §
This prevents possible data loss in a subsequent operating system crash.
      Fix ALTER ROLE for users with
      the BYPASSRLS attribute (Tom Lane, Stephen Frost)
      §
     
      The BYPASSRLS attribute is only allowed to be
      changed by superusers, but other ALTER ROLE
      operations, such as password changes, should be allowed with only
      ordinary permission checks.  The previous coding erroneously
      restricted all changes on such a role to superusers.
     
      Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE
      TRIGGER does not recurse to child tables
      (Álvaro Herrera)
      §
     
      Previously the ONLY flag was ignored.
     
      Avoid unnecessary recursion to partitions in ALTER TABLE
      SET NOT NULL, when the target column is already
      marked NOT NULL (Tom Lane)
      §
     
This avoids a potential deadlock in parallel pg_restore.
      Fix handling of expressions in CREATE TABLE LIKE
      with inheritance (Tom Lane)
      §
      §
     
      If a CREATE TABLE command uses
      both LIKE and traditional inheritance, column
      references in CHECK constraints and expression
      indexes that came from a LIKE parent table tended
      to get mis-numbered, resulting in wrong answers and/or bizarre error
      messages.  The same could happen in GENERATED
      expressions, in branches that have that feature.
     
      Disallow DROP INDEX CONCURRENTLY on a partitioned
      table (Álvaro Herrera, Michael Paquier)
      §
     
This case failed anyway, but with a confusing error message.
      Allow LOCK TABLE to succeed on a self-referential
      view (Tom Lane)
      §
     
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
      Retain statistics about an index across REINDEX
      CONCURRENTLY (Michael Paquier, Fabrízio de Royes Mello)
      §
     
Non-concurrent reindexing has always preserved such statistics.
      Fix incorrect progress reporting from REINDEX
      CONCURRENTLY (Matthias van de Meent, Michael Paquier)
      §
     
      Ensure that GENERATED columns are updated when
      the column(s) they depend on are updated via a rule or an updatable
      view (Tom Lane)
      §
     
This fix also takes care of possible failure to fire a column-specific trigger in such cases.
Recheck default partition constraints while routing an inserted or updated tuple to the correct partition (Amit Langote, Álvaro Herrera) §
This fixes race conditions when partitions are added concurrently with the insertion.
Fix failures with collation-dependent partition bound expressions (Tom Lane) §
Support hashing of text arrays (Peter Eisentraut) §
Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.
      Fix off-by-one conversion of negative years to BC dates
      in to_date()
      and to_timestamp() (Dar Alathar-Yemen, Tom Lane)
      §
     
Also, arrange for the combination of a negative year and an explicit “BC” marker to cancel out and produce AD.
      Ensure that standby servers will archive WAL timeline history files
      when archive_mode is set
      to always (Grigory Smolkin, Fujii Masao)
      §
     
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix “cache lookup failed for relation 0” failures in logical replication workers (Tom Lane) §
The real-world impact is small, since the failure is unlikely, and if it does happen the worker would just exit and be restarted.
Prevent logical replication workers from sending redundant ping requests (Tom Lane) §
During “smart” shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane) §
The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.
Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane) §
Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.
Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane) § §
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane) §
A “constant” subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane) §
Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane) §
While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Álvaro Herrera) § §
This oversight could lead to “failed to find parent tuple for heap-only tuple” errors.
Fix failure of parallel B-tree index scans when the index condition is unsatisfiable (James Hunter) §
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra) §
      Index entries are not supposed to contain out-of-line TOAST
      pointers, but BRIN didn't get that memo.  This could lead to errors
      like “missing chunk number 0 for toast value NNN”.
      (If you are faced with such an error from an existing
      index, REINDEX should be enough to fix it.)
     
Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Álvaro Herrera) §
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
Fix rare “lost saved point in index” errors in scans of multicolumn GIN indexes (Tom Lane) §
Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov) §
      Fix unportable use of getnameinfo()
      in pg_hba_file_rules view (Tom Lane)
      §
     
      On FreeBSD 11, and possibly other platforms, the
      view's address
      and netmask columns were always null due
      to this error.
     
      Avoid crash if debug_query_string is NULL
      when starting a parallel worker (Noah Misch)
      §
     
      Fix use-after-free hazard when an event trigger monitors
      an ALTER TABLE operation (Jehan-Guillaume de
      Rorthais)
      §
     
      Avoid failures when a BEFORE ROW UPDATE trigger
      returns the “old” row of a table having dropped
      or “missing” columns (Amit Langote, Tom Lane)
      §
      §
     
      This method of suppressing an update could result in crashes,
      unexpected CHECK constraint failures, or
      incorrect RETURNING output,
      because “missing” columns would read as NULLs for those
      purposes.  (A column is “missing” for this purpose if
      it was added by ALTER TABLE ADD COLUMN with a
      non-NULL, but constant, default value.)  Dropped columns could cause
      trouble as well.
     
Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes) §
Avoid lockup when a parallel worker reports a very long error message (Vignesh C) §
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner) §
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund) § §
      This has been shown to cause crashes on s390x,
      and very possibly there are other cases on other platforms.
     
Fix relation cache memory leaks with RLS policies (Tom Lane) §
      Fix edge-case memory leak
      in index_get_partition() (Justin Pryzby)
      §
     
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane) §
      Fix memory leaks
      in PL/pgsql's CALL
      processing (Pavel Stehule, Tom Lane)
      §
     
      Make libpq support arbitrary-length lines
      in .pgpass files (Tom Lane)
      §
      §
     
This is mostly useful to allow using very long security tokens as passwords.
      In libpq for Windows,
      call WSAStartup() once per process
      and WSACleanup() not at all (Tom Lane,
      Alexander Lakhin)
      §
     
      Previously, libpq
      invoked WSAStartup() at connection start
      and WSACleanup() at connection cleanup.
      However, it appears that calling WSACleanup()
      can interfere with other program operations; notably, we have
      observed rare failures to emit expected output to stdout.  There
      appear to be no ill effects from omitting the call, so do that.
      (This also eliminates a performance issue from repeated DLL loads and
      unloads when a program performs a series of database connections.)
     
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin) §
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane) §
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (Fabrízio de Royes Mello, Tom Lane) § §
      Failure to do this led to crashes when
      specifying --inserts, or underspecified (though
      usually correct) COPY commands when
      using COPY to reload the tables' data.
     
Ensure that parallel pg_restore processes foreign keys referencing partitioned tables in the correct order (Álvaro Herrera) §
Previously, it might try to restore a foreign key constraint before the required indexes were all in place, leading to an error.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian) § §
      Fix potential memory leak in contrib/pgcrypto
      (Michael Paquier)
      §
     
      Add check for an unlikely failure case
      in contrib/pgcrypto (Daniel Gustafsson)
      §
     
      Fix recently-added timetz test case so it works when
      the USA is not observing daylight savings time (Tom Lane)
      §
     
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine. (Tom Lane) § §
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane) § §
      This absorbs upstream's change of zic's
      default output option from “fat”
      to “slim”.  That's just cosmetic for our purposes, as
      we continue to select the “fat” mode in pre-v13
      branches.  This change also ensures
      that strftime() does not
      change errno unless it fails.