Release date: 2025-02-13
This release contains a variety of fixes from 14.15. For information about new features in major release 14, see Section E.17.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.14, see Section E.3.
      Harden PQescapeString and allied functions
      against invalidly-encoded input strings (Andres Freund, Noah Misch)
      §
      §
      §
      §
      §
      §
     
Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem. (CVE-2025-1094)
Exclude parallel workers from connection privilege checks and limits (Tom Lane) §
      Do not
      check datallowconn, rolcanlogin,
      and ACL_CONNECT privileges when starting a
      parallel worker, instead assuming that it's enough for the leader
      process to have passed similar checks originally.  This avoids, for
      example, unexpected failures of parallelized queries when the leader
      is running as a role that lacks login privilege.  In the same vein,
      enforce ReservedConnections,
      datconnlimit, and rolconnlimit
      limits only against regular backends, and count only regular
      backends while checking if the limits were already reached.  Those
      limits are meant to prevent excessive consumption of process slots
      for regular backends --- but parallel workers and other special
      processes have their own pools of process slots with their own limit
      checks.
     
      Keep TransactionXmin in sync
      with MyProc->xmin (Heikki Linnakangas)
      §
     
This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction” errors.
Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) §
This could result, for example, in failure to use a newly-created function within an existing session.
Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) §
Fix data corruption when relation truncation fails (Thomas Munro) § § §
The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.
Prevent checkpoints from starting during relation truncation (Robert Haas) §
This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.
      Use rename()
      not link()/unlink() to
      rename files (Nathan Bossart)
      §
     
The previous coding was intended to assure that the operation could not accidentally overwrite an existing file. However a failure could leave two links to the same file in existence, confusing subsequent operations and creating a risk of data corruption. In practice we do not use this functionality in places where the target filename could already exist, so it seems better to give up the no-overwrite guarantee to remove the multiple-link hazard.
      Avoid possibly losing an update of
      pg_database.datfrozenxid
      when VACUUM runs concurrently with
      a REASSIGN OWNED that changes that database's
      owner (Kirill Reshke)
      §
     
      Fix incorrect tg_updatedcols values
      passed to AFTER UPDATE triggers (Tom Lane)
      §
     
      In some cases the tg_updatedcols bitmap
      could describe the set of columns updated by an earlier command in
      the same transaction, fooling the trigger into doing the wrong
      thing.
     
      Also, prevent memory bloat caused by making too many copies of
      the tg_updatedcols bitmap.
     
      Fix mis-processing of to_timestamp's
      FF format codes
      (Tom Lane)
      §
     n
      An integer format code immediately
      preceding FF would
      consume all available digits, leaving none
      for nFF.
     n
      When deparsing an XMLTABLE() expression, ensure
      that XML namespace names are double-quoted when necessary (Dean
      Rasheed)
      §
     
      Include the ldapscheme option
      in pg_hba_file_rules() output (Laurenz Albe)
      §
      §
     
      Don't merge UNION operations if their column
      collations aren't consistent (Tom Lane)
      §
     
      Previously we ignored collations when deciding if it's safe to
      merge UNION steps into a single
      N-way UNION operation.  This was arguably valid
      before the introduction of nondeterministic collations, but it's not
      anymore, since the collation in use can affect the definition of
      uniqueness.
     
Fix missed expression processing for partition pruning steps (Tom Lane) §
This oversight could lead to “unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.
Allow dshash tables to grow past 1GB (Matthias van de Meent) §
This avoids errors like “invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.
      Avoid possible integer overflow
      in bringetbitmap() (James Hunter, Evgeniy
      Gorbanyov)
      §
     
Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.
Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) §
This would happen when the record's continuation is on a page that needs to be read from a different WAL source.
Improve performance of archiver process with many status files (Nathan Bossart) §
This change back-patches a fix originally made in v15, in response to reports of extremely poor archiving performance leading to downtime or loss of replicas.
Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) §
This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child process”.
Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) § §
      In some cases a data type could be dropped while references to its
      OID still remain in pg_amop
      or pg_amproc.  While that caused no
      immediate issues, an attempt to drop the owning operator family
      would fail, and pg_dump would produce
      bogus output when dumping the operator family.  This fix causes
      creation and modification of operator families/classes to add
      needed dependency entries so that dropping a data type will also
      drop any dependent operator family elements.  That does not help
      vulnerable pre-existing operator families, though, so a band-aid has
      also been added to DROP OPERATOR FAMILY to
      prevent failure when dropping a family that has dangling members.
     
Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) § §
      Avoid low-probability crash on out-of-memory, due to missing check
      for failure return from malloc()
      (Karina Litskevich)
      §
     
      Avoid integer overflow while
      testing wal_skip_threshold condition (Tom Lane)
      §
     
      A transaction that created a very large relation could mistakenly
      decide to ensure durability by copying the relation into WAL instead
      of fsync'ing it, thereby negating the point
      of wal_skip_threshold.  (This only matters
      when wal_level is set
      to minimal, else a WAL copy is required anyway.)
     
Fix unsafe order of operations during cache lookups (Noah Misch) §
      The only known consequence was a usually-harmless “you don't
      own a lock of type ExclusiveLock” warning
      during GRANT TABLESPACE.
     
Fix possible “failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro) §
      This could occur as a consequence of inconsistency about the default
      setting of -moutline-atomics between gcc and clang.
      At least Debian and Ubuntu are known to ship gcc and clang compilers
      that target armv8-a but differ on the use of outline atomics by
      default.
     
Fix handling of Windows junction points that are not of PostgreSQL origin (Thomas Munro) § §
Previously, initdb would fail if the path to the data directory included junction points whose expansion isn't in “drive absolute” format, or whose expansion points to another junction point.
      Fix assertion failure in WITH RECURSIVE ... UNION
      queries (David Rowley)
      §
     
Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) §
Avoid edge-case assertion failure in parallel query startup (Tom Lane) §
      In NULLIF(), avoid passing a read-write
      expanded object pointer to the data type's equality function
      (Tom Lane)
      §
     
      The equality function could modify or delete the object if it's
      given a read-write pointer, which would be bad if we decide to
      return it as the NULLIF() result.  There is
      probably no problem with any built-in equality function, but it's
      easy to demonstrate a failure with one coded in PL/pgSQL.
     
      Ensure that expression preprocessing is applied to a default null
      value in INSERT (Tom Lane)
      §
     
If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.
Repair memory leaks in PL/Python (Mat Arye, Tom Lane) §
      Repeated use of PLyPlan.execute
      or plpy.cursor resulted in memory leakage for
      the duration of the calling PL/Python function.
     
Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) §
In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) §
      In ecpg, fix compile-time warnings about
      unsupported use of COPY ... FROM STDIN (Ryo
      Kanbayashi)
      §
     
Previously, the intended warning was not issued due to a typo.
Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) §
      Some two-byte characters in SJIS have a second byte that is equal to
      ASCII backslash (\).  These characters were
      corrupted by path name normalization, preventing access to files
      whose names include such characters.
     
      Fix use of wrong version of pqsignal()
      in pgbench
      and psql (Fujii Masao, Tom Lane)
      §
     
      This error could lead to misbehavior when using
      the -T option in pgbench
      or the \watch command
      in psql, due to interrupted system calls
      not being resumed as expected.
     
      Fix misexecution of some nested \if constructs
      in pgbench (Michail Nikolaev)
      §
     
      An \if command appearing within a false
      (not-being-executed) \if branch was incorrectly
      treated the same as \elif.
     
In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) § §
      Make pg_controldata more robust against
      corrupted pg_control files (Ilyasov Ian, Anton
      Voloshin)
      §
     
      Since pg_controldata will attempt to
      print the contents of pg_control even if the
      CRC check fails, it must take care not to misbehave for invalid
      field values.  This patch fixes some issues triggered by invalid
      timestamps and apparently-negative WAL segment sizes.
     
Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) §
      Fix pg_basebackup to correctly
      handle pg_wal.tar files exceeding 2GB on
      Windows (Davinder Singh, Thomas Munro)
      §
      §
     
Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) §
      On ARM platforms where the baseline CPU target lacks CRC
      instructions, we need to supply a -march switch to
      persuade the compiler to compile such instructions.  Recent versions
      of gcc reject the value we were trying, leading to silently falling
      back to software CRC.
     
During configure, if a C23 compiler is detected, try asking for C17 (Thomas Munro) §
      PostgreSQL versions before v16 will not
      compile under C23 rules.  If the chosen compiler defaults to C23 or
      later, try adding a -std=gnu17 switch to change
      that.  (If this won't work for your compiler, manually
      specify CFLAGS with a suitable switch.)
     
Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) §