Stay Informed
This week, read about:
- Harbor Registry Overview: Using Harbor for Container Image Management.
- The Best Open-Source AI Models: All Your Free-To-Use Options Explained.
- Linux Kernel 6.12: Real-Time Capabilities, Hardware Boosts, and More.
- The Problem of Permissions and Non-Human Identities - Why Remediating Credentials Takes Longer Than You Think.
- Fake Discount Sites Exploit Black Friday to Hijack Shopper Information.
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
CentOS 6 - tzdata-2023c-1_ol001.el6
- We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.12
compiler-cli:
[fix - 4c38160853] | correct extraction of generics from type aliases (#58548) |
- Backport of CASSANDRA-17812: Rate-limit new client connection auth setup to avoid overwhelming bcrypt (CASSANDRA-20057)
- Support UDTs and vectors as clustering keys in descending order (CASSANDRA-20050)
- Fix CQL in snapshot's schema which did not contained UDTs used as reverse clustering columns (CASSANDRA-20036)
- Add configurable batchlog endpoint strategies: random_remote, prefer_local, dynamic_remote, and dynamic (CASSANDRA-18120)
- Fix bash-completion for debian distro (CASSANDRA-19999)
- Ensure thread-safety for CommitLogArchiver in CommitLog (CASSANDRA-19960)
- Fix text containing "/*" being interpreted as multiline comment in cqlsh (CASSANDRA-17667)
- Fix indexing of a frozen collection that is the clustering key and reversed (CASSANDRA-19889)
- Emit error when altering a table with non-frozen UDTs with nested non-frozen collections the same way as done upon table creation (CASSANDRA-19925)
Etcd v3.4.35
etcd server:
- Fix [watchserver related goroutine leakage](18785)
- Fix [panicking occurred due to improper error handling during defragmentation](18843)
- Fix [close temp file(s) in case an error happens during defragmentation](18855)
Dependencies:
- Compile binaries using [go 1.22.9](18850).
Etcd v3.5.17
etcd server:
- Fix [watchserver related goroutine leakage](18784)
- Fix [risk of a partial write txn being applied](18799)
- Fix [panicking occurred due to improper error handling during defragmentation](18842)
- Fix [close temp file(s) in case an error happens during defragmentation](18854)
Dependencies:
- Compile binaries using [go 1.22.9](18849).
Gitlab-foss v17.3.7
Security (6 changes):
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8952776336f65ba2f7a182cb42e6714f4f17b97b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4594))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5f2a1b9a8cd823901e1184177fa55d43f20a3200) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4575))
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/security/gitlab/-/commit/59ac206c9475b5713e8aee79dffad95fda802384) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4566))
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1420ca36c7c8fa50949d934ee9eb8a1a2dc3d6a5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4581))
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/security/gitlab/-/commit/aa81586dd7ca7fa7fc2d5c4b74b8d5971c573df7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4527))
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/security/gitlab/-/commit/58ddb6195652c2d04fb90db5b53889273090c18c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4561))
Gitlab-foss v17.4.4
Fixed (4 changes):
- [Fix bug where car left after branch deletion](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d88a8a2b0d5a864220e7ca612a73433fb61aa1e7) **GitLab Enterprise Edition**
- [Ensure auto_merge_enabled is set when validating merge trains](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ec63d25c51b5e129ab9b8fea6c8bb5730ca1ff81) **GitLab Enterprise Edition**
- [Update pdf worker file path in pdf viewer](https://gitlab.com/gitlab-org/security/gitlab/-/commit/bd1436d5e7900ac7ca815302b5bbd8297e43c52d)
- [Security patch upgrade alert: Only expose to admins](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6e852f3bde76486452977159f9597b1947ee84b3)
Security (6 changes):
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d8cf278590e2f1b496fe7cec05bd58b8adf0703b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4593))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/577432b6e46b9cd6edd4e00a4667e249406f1026) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4574))
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/security/gitlab/-/commit/24eaacb474ad08e0bcd41b6f5a1cdada51ca8d7f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4565))
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6ed52422fcfb1b5ab6702a57df0d564bb552472b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4580))
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4d5b45a67287865c3e9a80f27755c05c46ae2bea) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4526))
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e8fd87425e9c7d045986bc50b6f9e401eb695b95) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4560))
Performance (1 change)
- [Remove permissions JSONB column from the condition](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2f2ae57d46d3774cd483adcb8651c7bc52b2e67c)
Gitlab-foss v17.5.2
Fixed (4 changes):
- [Fix group wiki activity events breaking the user feed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2c10d817d961bf6ae229fb436126713d0199aece)
- [Add param filtering to avoid error while saving project settings](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7e1bf6aa4087c0789ecff48ca716b30d841a3140) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171554)) **GitLab Enterprise Edition**
- [Fix new project group templates pagination](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3fed777c0e1f52816206b546f2063043febedd0b) **GitLab Enterprise Edition**
- [Update pdf worker file path in pdf viewer](https://gitlab.com/gitlab-org/security/gitlab/-/commit/406b66e9140b4ee4e79edc84e2870e0fbb90d149)
Security (7 changes):
- [Add missing project_id for build_chat_data](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5a4e1bd3443cc786ab7558b1d6fa77962318c173) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4602))
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f8c4b8942e6fca667c6a2b975d9fa792b0d559fa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4592))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7e9ac80271a0c8a7ed73f1cb4a34f053652f07f6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4573))
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fbff5c445ecc99f438ab56a0c5add0ff5cd1e2aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4564))
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/605d8bf88e03ec6f447141049952b623eab2200c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4579))
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0fe3d3020954f79337b6138e7b1ee6baed346c3c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4545))
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fa41ba0bc926e7b0091e4fb1cb6298b0b86eace5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4559))
Performance (1 change):
- [Remove permissions JSONB column from the condition](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a5b902c35e60e36f3e98db2af221976093fe2278)
Grafana v11.3.0
Bug fixes:
- MigrationAssistant:** Fix Migration Assistant issue [CVE-2024-9476]
Jenkins-2.485
New features and improvements:
- Clarify [SECURITY-3315] - error code on client side (#9930) @jglick
Bug fixes:
- [JENKINS-74795] - Job created via REST API attaches to default view (#9947) @basil
- [JENKINS-74814] - `java.lang.UnsupportedOperationException`: This stack walker does not have `RETAIN_CLASS_REFERENCE` access (#9945) @basil
Changes for plugin developers:
- Introducing `ControllerToAgentCallable` and `ControllerToAgentFileCallable` (#9921) @jglick
- All contributors: @MarkEWaite, @basil, @jenkins-release-bot, @jglick, @renovate and @renovate[bot]
Sonatype/Nexus-public 2.15.2-03
- E.1. Release 12.21 This release contains a variety of fixes from 12.20. For information about new features in major release 12, see Section E.22. This is expected to be the last PostgreSQL release in the 12.X series. Users are encouraged to update to a newer release branch soon. E.1.1. Migration to Version 12.21. A dump/restore is not required for those running 12.X. However, if you are upgrading from a version earlier than 12.18, see Section E.4.
E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978). Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib-haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Prevent “nothing provides perl(PostgreSQL::Test::Utils)” failures while building RPM packages of PostgreSQL (Noah Misch)
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58 . Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
- IncompleteRead error occurred: IncompleteRead(2604766 bytes read, 11102047 more expected) E.1. Release 13.17 This release contains a variety of fixes from 13.16. For information about new features in major release 13, see Section E.18 .E.1.1. Migration to Version 13.17 A dump/restore is not required for those running 13.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 13.14, see Section E.4 .E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Cham pion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction.Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in- place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang). This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib- haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Prevent “nothing provides perl(PostgreSQL::Test::Utils)” failures while building RPM packages of PostgreSQL (Noah Misch)
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58 . Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
- E.1. Release 14.14 This release contains a variety of fixes from 14.13. For information about new features in major release 14, see Section E.15 . E.1.1. Migration to Version 14.14 A dump/restore is not required for those running 14.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 14.12, see Section E.3 E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them:SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih). This allows more of the work done in extended query protocol to be attributed to the correct query.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev). Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane)
- Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas). Thread safety is not currently a concern in the server, but it is for libpq.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang). This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib-haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Prevent “nothing provides perl(PostgreSQL::Test::Utils)” failures while building RPM packages of PostgreSQL (Noah Misch)
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58 . Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
- E.1. Release 15.9 This release contains a variety of fixes from 15.8. For information about new features in major release 15, see Section E.10 .E.1.1. Migration to Version 15.9 A dump/restore is not required for those running 15.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 15.7, see Section E.3 .E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL- language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih). This allows more of the work done in extended query protocol to be attributed to the correct query.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev). Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich). We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane)
- Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas). Thread safety is not currently a concern in the server, but it is for libpq.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane). Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang). This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib- haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Prevent “missing declaration for inet_pton” compiler warning or error when building with MinGW (Thomas Munro, Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would prev ously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58. Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
- E.1. Release 16.5 This release contains a variety of fixes from 16.4. For information about new features in major release 16, see Section E.6. E.1.1. Migration to Version 16.5 A dump/restore is not required for those running 16.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 16.3, see Section E.3. E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Cham pion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occur ring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Fix performance regressions involving flattening of subqueries underneath outer joins that are later reduced to plain joins (Tom Lane). v16 failed to optimize some queries as well as prior versions had, because of overoptimistic sim plification of query-pullup logic.
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote)
- Fix checking of key uniqueness in JSON object constructors (Junwang Zhao, Tomas Vondra). When building an object larger than a kilobyte, it was possible to accept invalid input that includes duplicate object keys, or to falsely report that duplicate keys are present.
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Disallow locale names containing non-ASCII characters (Thomas Munro). This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that. Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in- place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih). This allows more of the work done in extended query protocol to be attributed to the correct query.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Fix some whitespace issues in the result of XMLSERIALIZE(... INDENT) (Jim Jones). Fix failure to indent nodes separated by whitespace, and ensure that a trailing newline is not added.
- Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev). Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
- Fix mis-deparsing of ORDER BY lists when there is a name conflict (Tom Lane). If an ORDER BY item in SELECT is a bare identifier, the parser first seeks it as an output column name of the SELECT, for SQL92 compatibility. However, ruleutils.c expects the SQL99 interpretation where such a name is an input column name. So it was possible to produce an incorrect display of a view in the (rather ill-advised) case where some other column is renamed in the SELECT output list to match an input column used in ORDER BY . Fix by table-qualifying such names in the dumped view text.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Fix incorrect output of the pg_stat_io view on 32-bit machines (Bertrand Drouvot). The stats_reset timestamp column contained garbage on such hardware.
- Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich). We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- In a logical replication apply worker, ensure that origin progress is not advanced during an error or apply worker shutdown (Hayato Kuroda, Shveta Malik). This avoids possible loss of a transaction, since once the origin progress point is advanced the source server won't send that data again.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane)
- Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas). Thread safety is not currently a concern in the server, but it is for libpq.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Fix memory leak in psql during repeated use of \bind (Michael Paquier)
- Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier). Instead, treat this the same as an interval of zero (no wait between executions).
- Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane). Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in bi-nary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib-haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Ange-les. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58. Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
- E.1. Release 17.1 This release contains a variety of fixes from 17.0. For information about new features in major release 17, see Section E.2 . E.1.1. Migration to Version 17.1 A dump/restore is not required for those running 17.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, in the uncommon case that a database's LC_CTYPE setting is C while its LC_COLLATE setting is some other locale, indexes on textual columns should be reindexed, as described in the sixth changelog entry below. E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning.Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table,WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Fix test for C locale when LC_COLLATE is different from LC_CTYPE (Jeff Davis). When using libc as the default collation provider, the test to see if C locale is in use for collation accidentally checked LC_CTYPE not LC_COLLATE . This has no impact in the typical case where those settings are the same, nor if both are not C (nor its alias POSIX). However, if LC_CTYPE is C while LC_COLLATE is some other locale, wrong query answers could ensue, and corruption of indexes on strings was possible. Users of databases with such settings should reindex affected indexes after installing this update. The converse case with LC_COLLATE being C while LC_CTYPE is some other locale would cause performance degradation, but no actual errors.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Avoid planner failure after converting an IS NULL test on a NOT NULL column to constant FALSE (Richard Guo). This bug typically led to errors such as “variable not found in subplan target lists”.
- Avoid possible planner crash while inlining a SQL function whose arguments contain certain array-related constructs (Tom Lane, Nathan Bossart)
- Fix possible wrong answers or “wrong varnullingrels” planner errors for MERGE ... WHEN NOT MATCHED BY SOURCE actions (Dean Rasheed)
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Fix edge case in B-tree ScalarArrayOp index scans (Peter Geoghegan). When a scrollable cursor with a plan of this kind was backed up to its starting point and then run forward again, wrong answers were possible.
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix validation of COPY's FORCE_NOT_NULL and FORCE_NULL options (Joel Jacobson). Some incorrect usages are now rejected as they should be.
- Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Avoid crash when ALTER DATABASE SET is used to set a server parameter that requires search path-based lookup, such as default_text_search_config (Jeff Davis)
- Avoid repeated lookups of opclasses and collations while creating a new index on a partitioned table (Tom Lane). This was problematic mainly because some of the lookups would be done with a restricted search_path , leading to unexpected failures if the CREATE INDEX command referenced objects outside pg_catalog. This fix also prevents comments on the parent partitioned index from being copied to child indexes.
- Add missing dependency from a partitioned table to a non-built-in access method specified in CREATE TABLE ... USING (Michael Paquier). Dropping the access method should be blocked when a table exists that depends on it, but it was not, allowing subsequent odd behavior. Note that this fix only prevents problems for partitioned tables created after this update.
- Disallow locale names containing non-ASCII characters (Thomas Munro). This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that. Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Fix psql's describe commands to again work with pre-9.4 servers (Tom Lane). Commands involving display of an ACL (permissions) column failed with very old PostgreSQL servers, due to use of a function not present in those versions.
- Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier). Instead, treat this the same as an interval of zero (no wait between executions).
- Fix failure to find replication password in ~/.pgpass (Tom Lane). pg_basebackup and pg_receivewal failed to match an entry in ~/.pgpass that had replication in the database name field, if no -d or --dbname switch was supplied. This resulted in an unexpected prompt for password.
- In pg_combinebackup, throw an error if an incremental backup file is present in a directory that is supposed to contain a full backup (Robert Haas).
- In pg_combinebackup, don't construct filenames containing double slashes (Robert Haas). This caused no functional problems, but the duplicate slashes were visible in error messages, which could create confusion.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58. Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Prometheus v3.0.0
This release includes new features such as a brand new UI and UTF-8 support enabled by default. As this marks the first new major version in seven years, several breaking changes are introduced. The breaking changes are mainly around the removal of deprecated feature flags and CLI arguments, and the full list can be found below. For users that want to upgrade we recommend to read through our [migration guide]
* [CHANGE] Set the `GOMAXPROCS` variable automatically to match the Linux CPU quota. Use `--no-auto-gomaxprocs` to disable it. The `auto-gomaxprocs` feature flag was removed. #15376
* [CHANGE] Set the `GOMEMLIMIT` variable automatically to match the Linux container memory limit. Use `--no-auto-gomemlimit` to disable it. The `auto-gomemlimit` feature flag was removed. #15373
* [CHANGE] Scraping: Remove implicit fallback to the Prometheus text format in case of invalid/missing Content-Type and fail the scrape instead. Add ability to specify a `fallback_scrape_protocol` in the scrape config. #15136
* [CHANGE] Remote-write: default enable_http2 to false. #15219
* [CHANGE] Scraping: normalize "le" and "quantile" label values upon ingestion. #15164
* [CHANGE] Scraping: config `scrape_classic_histograms` was renamed to `always_scrape_classic_histograms`. #15178
* [CHANGE] Config: remove expand-external-labels flag, expand external labels env vars by default. #14657
* [CHANGE] Disallow configuring AM with the v1 api. #13883
* [CHANGE] regexp `.` now matches all characters (performance improvement). #14505
* [CHANGE] `holt_winters` is now called `double_exponential_smoothing` and moves behind the [experimental-promql-functions feature flag]#experimental-promql-functions). #14930
* [CHANGE] API: The OTLP receiver endpoint can now be enabled using `--web.enable-otlp-receiver` instead of `--enable-feature=otlp-write-receiver`. #14894
* [CHANGE] Prometheus will not add or remove port numbers from the target address. `no-default-scrape-port` feature flag removed. #14160
* [CHANGE] Logging: the format of log lines has changed a little, along with the adoption of Go's Structured Logging package. #14906
* [CHANGE] Don't create extra `_created` timeseries if feature-flag `created-timestamp-zero-ingestion` is enabled. #14738
* [CHANGE] Float literals and time durations being the same is now a stable fetaure. #15111
* [CHANGE] UI: The old web UI has been replaced by a completely new one that is less cluttered and adds a few new features (PromLens-style tree view, better metrics explorer, "Explain" tab). However, it is still missing some features of the old UI (notably, exemplar display and heatmaps). To switch back to the old UI, you can use the feature flag `--enable-feature=old-ui` for the time being. #14872
* [CHANGE] PromQL: Range selectors and the lookback delta are now left-open, i.e. a sample coinciding with the lower time limit is excluded rather than included. #13904
* [CHANGE] Kubernetes SD: Remove support for `discovery.k8s.io/v1beta1` API version of EndpointSlice. This version is no longer served as of Kubernetes v1.25. #14365
* [CHANGE] Kubernetes SD: Remove support for `networking.k8s.io/v1beta1` API version of Ingress. This version is no longer served as of Kubernetes v1.22. #14365
* [CHANGE] UTF-8: Enable UTF-8 support by default. Prometheus now allows all UTF-8 characters in metric and label names. The corresponding `utf8-name` feature flag has been removed. #14705
* [CHANGE] Console: Remove example files for the console feature. Users can continue using the console feature by supplying their own JavaScript and templates. #14807
* [CHANGE] SD: Enable the new service discovery manager by default. This SD manager does not restart unchanged discoveries upon reloading. This makes reloads faster and reduces pressure on service discoveries' sources. The corresponding `new-service-discovery-manager` feature flag has been removed. #14770
* [CHANGE] Agent mode has been promoted to stable. The feature flag `agent` has been removed. To run Prometheus in Agent mode, use the new `--agent` cmdline arg instead. #14747
* [CHANGE] Remove deprecated `remote-write-receiver`,`promql-at-modifier`, and `promql-negative-offset` feature flags. #13456, #14526
* [CHANGE] Remove deprecated `storage.tsdb.allow-overlapping-blocks`, `alertmanager.timeout`, and `storage.tsdb.retention` flags. #14640, #14643
* [FEATURE] OTLP receiver: Ability to skip UTF-8 normalization using `otlp.translation_strategy = NoUTF8EscapingWithSuffixes` configuration option. #15384
* [FEATURE] Support config reload automatically - feature flag `auto-reload-config`. #14769
* [ENHANCEMENT] Scraping, rules: handle targets reappearing, or rules moving group, when out-of-order is enabled. #14710
* [ENHANCEMENT] Tools: add debug printouts to promtool rules unit testing #15196
* [ENHANCEMENT] Scraping: support Created-Timestamp feature on native histograms. #14694
* [ENHANCEMENT] UI: Many fixes and improvements. #14898, #14899, #14907, #14908, #14912, #14913, #14914, #14931, #14940, #14945, #14946, #14972, #14981, #14982, #14994, #15096
* [ENHANCEMENT] UI: Web UI now displays notifications, e.g. when starting up and shutting down. #15082
* [ENHANCEMENT] PromQL: Introduce exponential interpolation for native histograms. #14677
* [ENHANCEMENT] TSDB: Add support for ingestion of out-of-order native histogram samples. #14850, #14546
* [ENHANCEMENT] Alerts: remove metrics for removed Alertmanagers. #13909
* [ENHANCEMENT] Kubernetes SD: Support sidecar containers in endpoint discovery. #14929
* [ENHANCEMENT] Consul SD: Support catalog filters. #11224
* [ENHANCEMENT] Move AM discovery page from "Monitoring status" to "Server status". #14875
* [PERF] TSDB: Parallelize deletion of postings after head compaction. #14975
* [PERF] TSDB: Chunk encoding: shorten some write sequences. #14932
* [PERF] TSDB: Grow postings by doubling. #14721
* [PERF] Relabeling: Optimize adding a constant label pair. #12180
* [BUGFIX] Scraping: Don't log errors on empty scrapes. #15357
* [BUGFIX] UI: fix selector / series formatting for empty metric names. #15341
* [BUGFIX] PromQL: Fix stddev+stdvar aggregations to always ignore native histograms. #14941
* [BUGFIX] PromQL: Fix stddev+stdvar aggregations to treat Infinity consistently. #14941
* [BUGFIX] OTLP receiver: Preserve colons when generating metric names in suffix adding mode (this mode is always enabled, unless one uses Prometheus as a library). #15251
* [BUGFIX] Scraping: Unit was missing when using protobuf format. #15095
* [BUGFIX] PromQL: Only return "possible non-counter" annotation when `rate` returns points. #14910
* [BUGFIX] TSDB: Chunks could have one unnecessary zero byte at the end. #14854
* [BUGFIX] "superfluous response.WriteHeader call" messages in log. #14884
* [BUGFIX] PromQL: Unary negation of native histograms. #14821
* [BUGFIX] PromQL: Handle stale marker in native histogram series (e.g. if series goes away and comes back). #15025
* [BUGFIX] Autoreload: Reload invalid yaml files. #14947
* [BUGFIX] Scrape: Do not override target parameter labels with config params. #11029
What's Changed:
* promql: make lookback and matrix selections left-open and right-closed by @KofClubs in
* removed "promql-at-modifier" and "promql-negative-offset" features from flag list by @kartikaysaxena in
* Sync release-3.0 with main by @jan--f in
* feat (ui): Add Native Histogram rendering to new UI by @Maniktherana in
* 3.0 main sync 24-07-09 by @jan--f in
* Minor style improvements for native histograms in table view by @juliusv in
* 3.0 main sync 24 07 18 by @jan--f in
* discovery(k8s): remove support for API versions no longer served by @simonpasquier in
* 3.0 main sync 24 08 01 by @jan--f in
* Remove unused flags by @roidelapluie in
* Remove deprecated storage.tsdb.retention flag by @roidelapluie in
* add v3 tags to action conditions by @jan--f in
* remove deprecated and replaced remote-write-receiver flag from enable-feature by @pawarpranav83 in
* 3.0 main sync 24-08-21 by @jan--f in
* Promote Agent mode to it's own cmdline flag by @ArthurSens in
* 3.0 main sync 24-08-30 by @jan--f in\
* Remove console static files by @roidelapluie in
* chore(discovery): enable new-service-discovery-manager by default and drop legacymanager package by @machine424 in
* Target parameter labels should not be overridden by config params by @roidelapluie in
* utf8: enable utf-8 support by default by @ywwg in
* Limit memory usage Go tests with race detector by @juliusv in
* Merge new UI branch for Prometheus 3.0 into main by @juliusv in
* BUGFIX: TSDB: panic in chunk querier by @krajorama in
* [Comment] Correct the comment on Decbuf.UvarintBytes by @bboreham in
* Move AM discovery page from "Monitoring status" -> "Server status" by @juliusv in
* Scrape: test for q-value compliance with RFC 9110 in Accept header by @roidelapluie in
* 3.0 main sync 24 09 09 by @jan--f in
* Bump @types/node from 22.5.2 to 22.5.4 in /web/ui by @dependabot in
* Fix error flood by downgrading OTel dependencies by @juliusv in
* remove rfratto as a tsdb/agent maintainer by @rfratto in
* Mantine UI: Fix 404 on /discovered-alertmanagers by @roidelapluie in
* Bring back documentation link in the form of an action button by @juliusv in
* Mantine UI: Use actual lookback delta in explain by @roidelapluie in
* fix(utf8): propagate validationScheme config to scraping options by @npazosmendez in
* promql: correctly handle unary negation of native histograms and add tests for multiplication and division of native histograms by negative scalars by @charleskorn in
* Update promci action by @SuperQ in
* Explain: Use param scalars in aggregations description by @roidelapluie in
* test: pass enable_npm to setup_environment by @jan--f in
* Fix HTML rendering for aggregator Explain view by @juliusv in
* Prepare release 3.0.0-beta.0 by @fionaliao in
* Cut release 3.0 beta.0 by @jan--f in
* Bump actions/upload-artifact from 4.3.4 to 4.4.0 by @dependabot in
* chore: Fix typos by @NathanBaulch in
* Upgrade github.com/googleapis/enterprise-certificate-proxy to v0.3.4 by @aknuds1 in
* TSDB: OOO native histograms: prep for multiple ooo head chunks by @krajorama in
* ui: drop readme from template by @SuperSandro2000 in
* Fix border color for target pools with one target that is failing by @juliusv in
* docs/feature_flags.md: drop `agent` feature flag by @jan--f in
* UI improvements: Factor out common styles, fix tree node line rendering, always show full badge contents (no ellipsis) by @juliusv in
* makefile: Add support for skipping UI build when prebuilt assets are provided by @roidelapluie in
* Explain, vector-to-vector: Do not compute results for set operators by @roidelapluie in
* build(deps): bump github.com/go-zookeeper/zk from 1.0.3 to 1.0.4 by @dependabot in
* [DOCS] put back feature flag 'delayed-compaction' and 'old-ui' by @Nexucis in
* PromQL explain view: Support set operators by @juliusv in
* Add support for running govulncheck by @51n15t9r in
* New UI: Better time formatting + tests, better styling by @juliusv in
* storage: Document that LabelQuerier.LabelValues interface returns sorted values by @harry671003 in
* tsdb: Add support for ingestion of out-of-order native histogram samples by @carrieedwards in
* TSDB: Simplify benchmark regexps by @bboreham in
* Bump typescript from 5.5.4 to 5.6.2 in /web/ui by @dependabot in
* fix(wlog/watcher_test.go): make TestRun_AvoidNotifyWhenBehind more resilient by @machine424 in
* Adding configuration documentation changes for username_file support for basic auth http client config by @wasim-nihal in
* fix(bstream/writeByte): ensure it appends only one byte by @fungiboletus in
* build(deps): bump lru-cache from 7.18.3 to 11.0.1 in /web/ui by @arukiidou in
* mantine UI: Distinguish between Not Ready and Stopping by @roidelapluie in
* Fix remote write v2 `BuildWriteRequest` benchmark by @cstyan in
* [CHANGE] regexp . to match \n and optimize performance by @marioferh in
* Make rate possible non-counter annotation consistent by @jhesketh in
* UI: Disallow sub-second zoom as this cause inconsistenices in the X axis in uPlot by @roidelapluie in
* move holt_winters to the experimental functions and rename by @jan--f in
* promql(native histograms): Introduce exponential interpolation by @beorn7 in
* UI/PromQL: autocomplete topk like aggregation function parameters by @Nexucis in
* support v2 proto for BenchmarkSampleSend by @cstyan in
* promqltest: use test expression format for histograms in assertion failure messages and include reset hint in the test expression by @charleskorn in
* [BUGFIX] TSDB: Only query chunks up to truncation time by @bboreham in
* refac: make typeRequiresCT private by @Maniktherana in
* [PERF] TSDB: Chunk encoding: shorten some write sequences by @bboreham in
* fix(web): properly format sub-millisecond durations in target status page by @roidelapluie in
* Mantine UI: removed unuse file by @roidelapluie in
* chore: remove unused code by @Maniktherana in
* Neater string vs byte-slice conversions by @bboreham in
* fix(autoreload): Reload invalid yaml files by @roidelapluie in
* chore: bump client_golang from 1.20.3 to 1.20.4 by @krajorama in
* Merge 2.55 into main by @bboreham in
* promql.Engine: Refactor vector selector evaluation into a method by @aknuds1 in
* Optimize constant label pair adding with relabel.Replace by @damnever in
* docs: Improve, clarify, and fix documentation on scrape limits by @beorn7 in
* UI: Make mantime UI assets relative by @jesusvazquez in
* [PERF] TSDB: Grow postings by doubling by @bboreham in
* Docs: Refer to staleness in instant vector documentation by @ringerc in
* [ENHANCEMENT] Alerts: remove metrics for removed Alertmanagers by @bboreham in
* Histogram CT Zero ingestion by @ArthurSens in
* scrape/scrape_test.go: reduce the time it takes to reload the manager by @krajorama in
* Remove no-default-scrape-port featureFlag by @alex-kattathra-johnson in
* Remove Query page alert close buttons that don't do anything by @juliusv in
* Remove unnecessary pprof import by @bboreham in
* Add notifications to the Web UI by @roidelapluie in
* fix(test): adjust defer invocations by @machine424 in
* Process `MemPostings.Delete()` with `GOMAXPROCS` workers by @colega in
* Follow-up on notifications via SSE by @roidelapluie in
* fix(discovery): fix Configs' custom unmarshalling/marshalling by @machine424 in
* Calculate path prefix directly in initial settings Redux value by @juliusv in
* Remove LeviHarrison as a default maintainer by @LeviHarrison in
* [REFACTOR] PromQL: remove label_join and label_replace stubs by @bboreham in
* Support sidecar containers in k8s endpoint discovery by @fbs in
* OTLP: Remove experimental word form OTLP receiver by @jesusvazquez in
* MAINTAINERS: Add Arthur as an otlptranslator maintainer by @jesusvazquez in
* api: Improve doc comments for v1.MinTime and v1.MaxTime by @beorn7 in
* Bump @mantine/dates from 7.12.2 to 7.13.1 in /web/ui by @dependabot in
* Bump react-router-dom from 6.26.1 to 6.26.2 in /web/ui by @dependabot in
* Bump vitest from 2.0.5 to 2.1.1 in /web/ui by @dependabot in
* Bump @types/lodash from 4.17.7 to 4.17.9 in /web/ui by @dependabot in
* Bump eslint-plugin-react-refresh from 0.4.11 to 0.4.12 in /web/ui by @dependabot in
* Bump @codemirror/view from 6.33.0 to 6.34.1 in /web/ui by @dependabot in
* Bump actions/checkout from 4.1.7 to 4.2.0 in /scripts by @dependabot in
* Bump github/codeql-action from 3.26.6 to 3.26.10 by @dependabot in
* Bump @uiw/react-codemirror from 4.23.1 to 4.23.3 in /web/ui by @dependabot in
* Bump jsdom from 25.0.0 to 25.0.1 in /web/ui by @dependabot in
* Bump bufbuild/buf-setup-action from 1.39.0 to 1.43.0 by @dependabot in
* Bump @mantine/notifications from 7.12.2 to 7.13.1 in /web/ui by @dependabot in
* Bump @tanstack/react-query from 5.53.2 to 5.59.0 in /web/ui by @dependabot in
* Bump @mantine/code-highlight from 7.12.2 to 7.13.1 in /web/ui by @dependabot in
* Bump @eslint/js from 9.9.1 to 9.11.1 in /web/ui by @dependabot in
* Bump @types/jest from 29.5.12 to 29.5.13 in /web/ui by @dependabot in
* Bump vite from 5.4.2 to 5.4.8 in /web/ui by @dependabot in
* Bump actions/setup-node from 4.0.3 to 4.0.4 by @dependabot in
* Bump @codemirror/autocomplete from 6.18.0 to 6.18.1 in /web/ui by @dependabot in
* Bump eslint from 9.9.1 to 9.11.1 in /web/ui by @dependabot in
* Bump @tabler/icons-react from 2.47.0 to 3.19.0 in /web/ui by @dependabot in
* Bump globals from 15.9.0 to 15.10.0 in /web/ui by @dependabot in
* Bump postcss from 8.4.44 to 8.4.47 in /web/ui by @dependabot in
* [TEST] Scraping: Add microbenchmarks for OM CT parsing by @Maniktherana in
* CHANGELOG: Update changelog with API flag change for the otlp receiver by @jesusvazquez in
* [CHANGE] No longer ingest OM _created as timeseries if feature-flag 'created-timestamp-zero-ingestion' is enabled; fixed OM text CT conversion bug by @Maniktherana in
* Fix bug in rate vs float and histogram mixup by @krajorama in
* Allow blank issue reports again by @juliusv in
* Add a mutex and used ports list to the tests random port generator to avoid port collisions by @jadolg in
* Adds eval_info command to PromQL testing framework by @NeerajGartia21 in
* Bump the go-opentelemetry-io group with 9 updates by @dependabot in
* Bump github.com/prometheus/common from 0.57.0 to 0.60.0 in /documentation/examples/remote_storage by @dependabot in
* Bump google.golang.org/api from 0.195.0 to 0.199.0 by @dependabot in
* Notify web UI when starting up and shutting down by @roidelapluie in
* [BUGFIX] Scraping: Naive fixes and optimzations for `CreatedTimestamp` function by @Maniktherana in
* Fix flakiness of QueryLogTest by @roidelapluie in
* Bump github.com/linode/linodego from 1.40.0 to 1.41.0 by @dependabot in
* Style cleanups, mostly for web notifications and startup alert by @juliusv in
* [TEST] use "ErrorContains" or "EqualError" instead of "Contains(t, err.Error()" and "Equal(t, err.Error()" by @mmorel-35 in
* Bump actions/checkout from 4.1.6 to 4.2.0 by @dependabot in
* Bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0 by @dependabot in
* textparse: Refactored benchmark by @bwplotka in
* Add missing flag storage.tsdb.allow-overlapping-compaction by @yeya24 in
* Bump google.golang.org/grpc from 1.66.0 to 1.67.1 by @dependabot in
* Bump golang.org/x/tools from 0.24.0 to 0.25.0 by @dependabot in
* build(deps): bump golang.org/x/tools from 0.25.0 to 0.26.0 by @dependabot in
* Bump github.com/gophercloud/gophercloud from 1.14.0 to 1.14.1 by @dependabot in
* textparse: Refactored main testing utils for reusability; fixed proto Units. by @bwplotka in
* Document the notifications API by @roidelapluie in
* chore!: adopt log/slog, remove go-kit/log by @tjhop in
* Bump github.com/digitalocean/godo from 1.122.0 to 1.126.0 by @dependabot in
* Bump github.com/klauspost/compress from 1.17.9 to 1.17.10 by @dependabot in
* Add a note for pre-built assets by @roidelapluie in
* docs: Declare "float literals are time durations" as stable by @beorn7 in
* consul: Initial implemenation of catalog filter support by @dekimsey in
* Add additional basic nhcb unit tests by @fionaliao in
* docs: Querying basics: remove what can be graphed by @hvnsweeting in
* storage: require selectors to always return matching results by @jan--f in
* Update chunk format docs with native histograms and OOO by @fionaliao in
* docs: Update chunk layot for NHCB by @beorn7 in
* fix: fix slice init length by @huochexizhan in
* [PERF] textparse: further optimzations for OM `CreatedTimestamps` by @Maniktherana in
* fix(notifier): avoid dropping known alertmanagers after each ApplyConfig by @machine424 in
* docs: extract HTTP client option documentation in their own sections by @roidelapluie in
* Fix `MemPostings.Add` and `MemPostings.Get` data race by @colega in
* Bump github.com/docker/docker from 27.2.0+incompatible to 27.3.1+incompatible by @dependabot in
* Bump the k8s-io group with 3 updates by @dependabot in
* discovery: Improve Azure test coverage to 50% by @mviswanathsai in
* bugfix: data race in head.Appender.AppendHistogram and Commit by @krajorama in
* [PERF] textparse: lightweight `p.isCreatedSeries()` by @Maniktherana in
* model: move classic NHCB conversion into its own file by @krajorama in
* Prepare 3.0.0-beta.1 by @bboreham in
* [BUGFIX] TSDB: Don't read in-order chunks from before head MinTime by @bboreham in
* Corrects the behaviour of binary opperators between histogram and float by @NeerajGartia21 in
* convertnhcb: use CutSuffix instead of regex replace for histogram name by @krajorama in
* discovery: aws/ec2 unit tests by @akunszt in
* Fix stddev/stdvar when aggregating histograms, NaNs, and infinities by @jhesketh in
* test(tsdb): add a reproducer for by @machine424 in
* chore(deps): update client_golang from 1.20.4 to 1.20.5 by @krajorama in
* config: remove expand-external-labels flag in release 3.0 by @jyz0309 in
* s/scrape_classic_histograms/always_scrape_classic_histograms (3.0 breaking change) by @bwplotka in
* fix(tsdb): populateWithDelChunkSeriesIterator corrupting chunk meta by @krajorama in
* Merge release-2.55 into main (interim) by @bboreham in
* Disallowing configure AM with the v1 api by @alanprot in
* feat: ProtobufParse.formatOpenMetricsFloat: improve float formatting … by @m chine424 in
* scrape: provide a fallback format by @alexgreenbank in
* fix(discovery): Handle cache.DeletedFinalStateUnknown in node informers' Delet Func by @machine424 in
* feat: normalize "le" and "quantile" labels values upon ingestion by @machine424 in
* test(cmd/prometheus): speed up test execution by t.Parallel() when possible by @machine424 in
* [FEATURE] rules: add labels at group level by @clwluvw in
* Add paginated feature to list rules api by @qinxx108 in
* feat: NHCB: convert classic histograms to nhcb in scrape MVP by @krajorama in
* feat(tools): add debug printouts to rules unit testing by @krajorama in
* docs: add keep_firing_for in alerting rules by @alexgreenbank in
* NHCB scrape: refactor state handling and speed up scrape test by @krajorama in
* Round function should ignore native histograms by @jhesketh in
* TSDB: Fix some edge cases when OOO is enabled by @Vanshikav123 in
* feat(nhcb): implement created timestamp handling by @krajorama in
* fix(nhcb): do not return nhcb from parse if exponential is present by @krajorama in
* Docs: Remove experimental note on out of order feature by @jesusvazquez in
* [CHANGE] Remote-write: default enable_http2 to false by @jan--f in
* slog: various fixes by @tjhop in
* 3.0 migration guide by @jan--f in
* prometheusremotewrite: support int exemplar value type by @CharlieTLe in
* fix(storage/mergeQuerier): fix a data race by @machine424 in
* Documented that WAL can still be written after memory-snapshot-on-shutdown by @Gopi-eng2202 in
* Agent: allow for ingestion of CT samples by @pedro-stanaka in
* fix(nhcb): created timestamp fails when keeping classic histograms by @krajorama in
* refactor: reorder fields in defaultSDConfig initialization by @3Juhwan in
* lezer-promql: fix missing types export in package.json by @jackw in
* discovery/kubernetes: optimize resolvePodRef by @GiedriusS in
* doc: fix formatting by @multani in
* tsdb.CircularExemplarStorage: Avoid racing by @aknuds1 in
* chore: fix function name in comment by @shenpengfeng in
* [REFACTORY] simplify appender commit by @nicolastakashi in
* Revert "Process `MemPostings.Delete()` with `GOMAXPROCS` workers" by @colegain
* Prepare release 3.0.0 rc.0 by @jan--f in
* bugfix: Fix otlp translator for foreign characters by @ArthurSens in
* tracing: add tcp events to remote store span by @jmichalek132 in
* log last series labelset when hitting OOO series labels by @yeya24 in
* Fix typos in tests by @ArthurSens in
* bugfix: Fix otlp translator switching colons to underscores in suffix adding mode by @ArthurSens in
* [BUILD] React-app: replace 0.55.0-rc.0 with 0.55.0 by @bboreham in
* otlptranslator: Harmonize non-UTF8 sanitization w/ naming rules. by @aknuds1 in
* Revert "Fix `MemPostings.Add` and `MemPostings.Get` data race (#15141)" by @bboreham in
* Add hidden flag for the delayed compaction random time window by @ahurtaud in
* Support UTF-8 metric names and labels in web UI by @juliusv in
* Merge main into 3.0 by @bboreham in
* Release 3.0.0 rc.0 by @jan--f in
* Fix selector / series formatting for empty metric names by @juliusv in
* docs: formatting and typo fixes to 3.0 migration guide by @fionaliao in
* Update prometheus/common by @roidelapluie in
* scrape: stop erroring on empty scrapes by @alexgreenbank in
* Enable auto-gomemlimit by default by @SuperQ in
* Enable auto-gomaxprocs by default by @SuperQ in
* Update migration.md for TSDB storage upgrade by @bwplotka in
* 3.0 Port: Allow UTF-8 characters in metric and label names as opt-in feature (plus config entry) by @bwplotka in
* Prep release 3.0.0 rc.1 by @jan--f in
* docs: additional formatting fixes to 3.0 migration guide by @fionaliao in
* [cherry pick] Fix auto reload when a config file with a syntax error is reverted by @roidelapluie in
* [BUGFIX] TSDB: Fix race on stale values in headAppender (#15322) by @jan--f in
* Prep release 3.0.0 by @jan--f in
New Contributors:
* @KofClubs made their first contribution in
* @pawarpranav83 made their first contribution in
* @NathanBaulch made their first contribution in
* @51n15t9r made their first contribution in
* @fungiboletus made their first contribution in
* @marioferh made their first contribution in
* @ringerc made their first contribution in
* @alex-kattathra-johnson made their first contribution in
* @fbs made their first contribution in
* @jadolg made their first contribution in
* @dekimsey made their first contribution in
* @hvnsweeting made their first contribution in
* @huochexizhan made their first contribution in
* @mviswanathsai made their first contribution in
* @clwluvw made their first contribution in
* @Vanshikav123 made their first contribution in
* @CharlieTLe made their first contribution in
* @Gopi-eng2202 made their first contribution in
* @pedro-stanaka made their first contribution in
* @3Juhwan made their first contribution in
* @jackw made their first contribution in
* @multani made their first contribution in
* @shenpengfeng made their first contribution in
* @jmichalek132 made their first contribution in