E.4. Release 14.12
Release date: 2024-05-09
This release contains a variety of fixes from 14.11. For information about new features in major release 14, see Section E.16 .
E.4.1. Migration to Version 14.12
A dump/restore is not required for those running 14.X.
However, a security vulnerability was found in the system
views
pg_stats_ext
and
pg_stats_ext_exprs
, potentially allowing
authenticated database users to see data they shouldn't. If this is
of concern in your installation, follow the steps in the first
changelog entry below to rectify it.
Also, if you are upgrading from a version earlier than 14.11, see Section E.5 .
E.4.2. Changes
-
Restrict visibility of
pg_stats_ext
andpg_stats_ext_exprs
entries to the table owner (Nathan Bossart) §These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as
most_common_vals
might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.The PostgreSQL Project thanks Lukas Fittl for reporting this problem. (CVE-2024-4317)
By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:
-
Find the SQL script
fix-CVE-2024-4317.sql
in theshare
directory of the PostgreSQL installation (typically located someplace like/usr/share/postgresql/
). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix. -
In each database of the cluster, run the
fix-CVE-2024-4317.sql
script as superuser. In psql this would look like\i /usr/share/postgresql/fix-CVE-2024-4317.sql
(adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.
-
Do not forget to include the
template0
andtemplate1
databases, or the vulnerability will still exist in databases you create later. To fixtemplate0
, you'll need to temporarily make it accept connections. Do that withALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing
template0
, undo it withALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
-
-
Fix
INSERT
from multipleVALUES
rows into a target column that is a domain over an array or composite type (Tom Lane) §Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.
-
Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean
IS NOT
clause (David Rowley) §A NULL value satisfies a clause such as
boolcol
IS NOT FALSE -
Make
ALTER FOREIGN TABLE SET SCHEMA
move any owned sequences into the new schema (Tom Lane) §Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.
-
Improve
ALTER TABLE ... ALTER COLUMN TYPE
's error message when there is a dependent function or publication (Tom Lane) § -
Fix
EXPLAIN
's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman) §Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.
-
Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin) §
If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.
-
Avoid race condition while examining per-relation frozen-XID values (Noah Misch) §
VACUUM
's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by anotherVACUUM
. -
Disallow converting a table to a view within an outer SQL command that is using that table (Tom Lane) §
This avoids possible crashes.
-
Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane) §
In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to
UNION ALL
trees that have constant outputs for the join column in someSELECT
arms. -
Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G) §
When a plain aggregate is used as a window function, and the window frame start is specified as
UNBOUNDED PRECEDING
, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered. -
Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane) §
This would typically end in a crash or unexpected error message.
-
Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov) §
In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.
-
Fix incorrectly-reported statistics kind codes in " requested statistics kind
X
is not yet built " error messages (David Rowley) § -
Be more careful with
RECORD
-returning functions inFROM
(Tom Lane) § §The output columns of such a function call must be defined by an
AS
clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations. -
Fix confusion about the return rowtype of SQL-language procedures (Tom Lane) §
A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.
-
Add protective stack depth checks to some recursive functions (Egor Chindyaskin) §
-
Fix mis-rounding and overflow hazards in
date_bin()
(Moaaz Assali) §In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.
-
Detect integer overflow when adding or subtracting an
interval
to/from atimestamp
(Joseph Koshakow) §Some cases that should cause an out-of-range error produced an incorrect result instead.
-
Avoid race condition in
pg_get_expr()
(Tom Lane) §If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.
-
Fix detection of old transaction IDs in XID status functions (Karina Litskevich) §
Transaction IDs more than 2 31 transactions in the past could be misidentified as recent, leading to misbehavior of
pg_xact_status()
ortxid_status()
. -
Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau) §
Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a " could not read block " error.
-
Fix file descriptor leakage when an error is thrown while waiting in
WaitEventSetWait
(Etsuro Fujita) § -
Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov) §
-
Throw an error if an index is accessed while it is being reindexed (Tom Lane) §
Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.
-
Ensure that index-only scans on
name
columns return a fully-padded value (David Rowley) §The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.
-
Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas) §
-
Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas) §
It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.
-
Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane) §
System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.
-
Avoid concurrent calls to
bindtextdomain()
in libpq and ecpglib (Tom Lane) § §Although GNU gettext 's implementation seems to be fine with concurrent calls, the version available on Windows is not.
-
Fix crash in ecpg 's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane) § § §
-
In ecpg , avoid issuing false " unsupported feature will be passed to server " warnings (Tom Lane) §
-
Ensure that the string result of ecpg 's
intoasc()
function is correctly zero-terminated (Oleg Tselebrovskiy) § -
Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of
--no-role-passwords
(Daniel Gustafsson, Álvaro Herrera) § § -
Fix PL/pgSQL 's parsing of single-line comments (
--
-style comments) following expressions (Erik Wienhold, Tom Lane) §This mistake caused parse errors if such a comment followed a
WHEN
expression in a PL/pgSQLCASE
statement. -
In
contrib/amcheck
, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin) § §A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.
-
Fix bugs in BRIN output functions (Tomas Vondra) §
These output functions are only used for displaying index entries in
contrib/pageinspect
, so the errors are of limited practical concern. -
In
contrib/postgres_fdw
, avoid emitting requests to sort by a constant (David Rowley) §This could occur in cases involving
UNION ALL
with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to " ORDER BY positionN
is not in select list " errors. -
Make
contrib/postgres_fdw
set the remote session's time zone toGMT
notUTC
(Tom Lane) §This should have the same results for practical purposes. However,
GMT
is recognized by hard-wired code in the server, whileUTC
is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries. -
In
contrib/xml2
, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval) § -
Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov) §
-
Allow
make check
to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane) §