Release date: 2021-08-12
This release contains a variety of fixes from 10.17. For information about new features in major release 10, see Section E.21.
A dump/restore is not required for those running 10.X.
However, if you are upgrading from a version earlier than 10.16, see Section E.5.
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
      Reject SELECT ... GROUP BY GROUPING SETS (()) FOR
      UPDATE (Tom Lane)
     
      This should be disallowed, just as FOR UPDATE
      with a plain GROUP BY is disallowed, but the test
      for that failed to handle empty grouping sets correctly.
      The end result would be a null-pointer dereference in the executor.
     
      Reject cases where a query in WITH
      rewrites to just NOTIFY (Tom Lane)
     
Such cases previously crashed.
      In numeric multiplication, round the result rather than
      failing if it would have more than 16383 digits after the decimal
      point (Dean Rasheed)
     
      Fix corner-case errors and loss of precision when
      raising numeric values to very large powers
      (Dean Rasheed)
     
      Fix division-by-zero failure in to_char()
      with EEEE format and a numeric input
      value less than 10^(-1001) (Dean Rasheed)
     
      Fix pg_size_pretty(bigint) to round negative
      values consistently with the way it rounds positive ones (and
      consistently with the numeric version) (Dean Rasheed,
      David Rowley)
     
      Make pg_filenode_relation(0, 0) return NULL
      rather than failing (Justin Pryzby)
     
      Make ALTER EXTENSION lock the extension when
      adding or removing a member object (Tom Lane)
     
      The previous coding allowed ALTER EXTENSION
      ADD/DROP to occur concurrently with DROP
      EXTENSION, leading to a crash or corrupt catalog entries.
     
      Fix ALTER SUBSCRIPTION to reject an empty slot
      name (Japin Li)
     
      Avoid alias conflicts in queries generated
      for REFRESH MATERIALIZED VIEW CONCURRENTLY
      (Tom Lane, Bharath Rupireddy)
     
      This command failed on materialized views containing columns with
      certain names, notably mv
      and newdata.
     
      Fix PREPARE TRANSACTION to check correctly
      for conflicting session-lifespan and transaction-lifespan locks
      (Tom Lane)
     
      A transaction cannot be prepared if it has both session-lifespan and
      transaction-lifespan locks on the same advisory-lock ID value.  This
      restriction was not fully checked, which could lead to a PANIC
      during PREPARE TRANSACTION.
     
      Fix misbehavior of DROP OWNED BY when the target
      role is listed more than once in an RLS policy (Tom Lane)
     
      Skip unnecessary error tests when removing a role from an RLS policy
      during DROP OWNED BY (Tom Lane)
     
      Notably, this fixes some cases where it was necessary to be a
      superuser to use DROP OWNED BY.
     
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
      Avoid corrupting the plan cache entry when CREATE
      DOMAIN or ALTER DOMAIN appears
      in a cached plan (Tom Lane)
     
      Make walsenders show their latest replication commands
      in pg_stat_activity (Tom Lane)
     
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
      Make
      pg_settings.pending_restart
      show as true when the pertinent entry
      in postgresql.conf has been removed
      (Álvaro Herrera)
     
      pending_restart correctly showed the case
      where an entry that cannot be changed without a postmaster restart
      has been modified, but not where the entry had been removed
      altogether.
     
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
      Fix plan cache reference leaks in some error cases in
      CREATE TABLE ... AS EXECUTE (Tom Lane)
     
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
      Fix uninitialized-variable bug that could
      cause PL/pgSQL to act as though
      an INTO clause
      specified STRICT, even though it didn't
      (Tom Lane)
     
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
      In ecpg, allow the numeric
      value INT_MIN (usually -2147483648) to be
      converted to integer (John Naylor)
     
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
      Make pg_upgrade carry forward the old
      installation's oldestXID value (Bertrand Drouvot)
     
      Previously, the new installation's oldestXID was
      set to a value old enough to (usually) force immediate
      anti-wraparound autovacuuming.  That's not desirable from a
      performance standpoint; what's worse, installations using large
      values of autovacuum_freeze_max_age could suffer
      unwanted forced shutdowns soon after an upgrade.
     
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
      A script file is now produced containing the ALTER
      EXTENSION UPDATE commands needed to bring extensions up to
      the versions that are considered default in the new installation.
     
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
      In contrib/postgres_fdw, avoid attempting
      catalog lookups after an error (Tom Lane)
     
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
      Make printf("%s", NULL)
      print (null) instead of crashing (Tom Lane)
     
      This should improve server robustness in corner cases, and it syncs
      our printf implementation with common libraries.
     
      Fix incorrect log message when point-in-time recovery stops at
      a ROLLBACK PREPARED record (Simon Riggs)
     
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
      Fix configure to work with OpenLDAP 2.5,
      which no longer has a separate libldap_r
      library (Adrian Ho, Tom Lane)
     
      If there is no libldap_r library, we now
      silently assume that libldap is thread-safe.
     
      Add new make targets world-bin
      and install-world-bin (Andrew Dunstan)
     
      These are the same as world
      and install-world respectively, except that they
      do not build or install the documentation.
     
      Fix make rule for TAP tests (prove_installcheck)
      to work in PGXS usage (Andrew Dunstan)
     
Allow PostgreSQL version 10 to build with ICU 69 and newer (Peter Eisentraut)
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
      In MSVC builds, include --with-pgport in the set of
      configure options reported by pg_config,
      if it had been specified (Andrew Dunstan)