Release date: 2021-11-11
This release contains a variety of fixes from 14.0. For information about new features in major release 14, see Section E.6.
A dump/restore is not required for those running 14.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
      Ensure that parallel VACUUM doesn't miss any
      indexes (Peter Geoghegan, Masahiko Sawada)
     
      A parallel VACUUM would fail to process indexes
      that are below the min_parallel_index_scan_size
      cutoff, if the table also has at least two indexes that are above
      that size.  This could result in those indexes becoming corrupt,
      since they'd still contain references to any heap entries removed by
      the VACUUM; subsequent queries using such indexes
      would be likely to return rows they shouldn't.
      This problem does not affect autovacuum, since it doesn't use
      parallel vacuuming.  However, it is advisable to reindex any
      manually-vacuumed tables that have the right mix of index sizes.
     
      Fix CREATE INDEX CONCURRENTLY to wait for
      the latest prepared transactions (Andrey Borodin)
     
      Rows inserted by just-prepared transactions might be omitted from
      the new index, causing queries relying on the index to miss such
      rows.  The previous fix for this type of problem failed to account
      for PREPARE TRANSACTION commands that were still
      in progress when CREATE INDEX CONCURRENTLY
      checked for them.  As before, in installations that have enabled
      prepared transactions (max_prepared_transactions
      > 0), it's recommended to reindex any concurrently-built indexes
      in case this problem occurred when they were built.
     
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
      While it's apparently rare in the field, this case could potentially
      affect any index built or reindexed with
      the CONCURRENTLY option.  It is recommended to
      reindex any such indexes to make sure they are correct.
     
      Fix REINDEX CONCURRENTLY to preserve operator
      class parameters that were attached to the target index
      (Michael Paquier)
     
Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)
      The effects of this error are probably limited in practice.  In
      principle, it could allow a role to be dropped while it still owns
      objects; but most installations would never want to drop a role
      that had been used for objects they'd added
      to template1.
     
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)
      CREATE TYPE incorrectly freed an element of the
      parse tree, which could cause problems for a later event trigger, or
      if the CREATE TYPE command was stored in the plan
      cache and used again later.
     
Fix updates of element fields in arrays of domain over composite (Tom Lane)
      A command such as UPDATE tab SET fld[1].subfld =
      val failed if the array's elements were domains rather
      than plain composites.
     
      Disallow the combination of FETCH FIRST WITH TIES
      and FOR UPDATE SKIP LOCKED (David Christensen)
     
      FETCH FIRST WITH TIES necessarily fetches one
      more row than requested, since it cannot stop until it finds a row
      that is not a tie.  In our current implementation,
      if FOR UPDATE is used then that row will also get
      locked even though it is not returned.  That results in undesirable
      behavior if the SKIP LOCKED option is specified.
      It's difficult to change this without introducing a different set of
      undesirable behaviors, so for now, forbid the combination.
     
      Disallow ALTER INDEX index ALTER COLUMN col SET
      (options) (Nathan Bossart, Michael Paquier)
     
While the parser accepted this, it's undocumented and doesn't actually work.
      Fix corner-case loss of precision in
      numeric power() (Dean Rasheed)
     
The result could be inaccurate when the first argument is very close to 1.
Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)
This error could result in crashes or incorrect query results.
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
      If a function in FROM laterally references the
      output of some sub-SELECT earlier in
      the FROM clause, and we are able to flatten that
      sub-SELECT into the outer query, the
      expression(s) copied into the function expression were not fully
      processed.  This could lead to crashes at execution.
     
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
      There are corner cases in which ANALYZE will
      build a most-common-values (MCV) list but not a histogram, even
      though the MCV list does not account for all the observed values.
      In such cases, keep the planner from using the MCV list alone to
      estimate the range of column values.
     
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
      If a procedure commits or rolls back a transaction, and then its
      next significant action is inside a new subtransaction, snapshot
      management went wrong, leading to a dangling pointer and probable
      crash.  A typical example in PL/pgSQL is a COMMIT
      immediately followed by a BEGIN ... EXCEPTION
      block that performs a query.
     
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
      Fix “could not find RecursiveUnion” error
      when EXPLAIN tries to print a filter condition
      attached to a WorkTableScan node (Tom Lane)
     
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)
      For historical reasons, ALTER INDEX ... RENAME
      can be applied to any sort of relation.  The lock level required to
      rename an index is lower than that required to rename a table or
      other kind of relation, but the code got this wrong and would use
      the weaker lock level whenever the command is spelled ALTER
      INDEX.
     
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
      Prevent “snapshot reference leak” warning
      when lo_export() or a related function fails
      (Heikki Linnakangas)
     
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
      These changes fix slow processing in several scenarios, including:
      when a standby replays a transaction that held many exclusive locks
      on the primary; when many files are due to be unlinked after a
      checkpoint; when hash aggregation involves many batches; and when
      pg_trgm extracts indexable conditions from a
      complex regular expression.  Only the first of these scenarios has
      actually been reported from the field, but they all seem like
      plausible consequences of inefficient list deletions.
     
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)
In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.
      Allow the autovacuum launcher process to respond
      to pg_log_backend_memory_contexts() requests
      more quickly (Koyu Tanigawa)
     
Fix memory leak in HMAC hash calculations (Sergey Shinderuk)
      Disallow setting huge_pages
      to on when shared_memory_type
      is sysv (Thomas Munro)
     
Previously, this setting was accepted, but it did nothing for lack of any implementation.
      Fix checking of query type in PL/pgSQL's RETURN
      QUERY statement (Tom Lane)
     
      RETURN QUERY should accept any query that can
      return tuples, e.g. UPDATE RETURNING.  v14
      accidentally disallowed anything but SELECT;
      moreover, the RETURN QUERY EXECUTE variant
      failed to apply any query-type check at all.
     
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
      If a global (unrestricted) ALTER DEFAULT
      PRIVILEGES command revoked some present-by-default
      privilege, for example EXECUTE for functions, and
      then a restricted ALTER DEFAULT PRIVILEGES
      command granted that privilege again for a selected role or
      schema, pg_dump failed to dump the
      restricted privilege grant correctly.
     
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)
This avoids unhelpful checks of relations that will almost certainly appear inconsistent.
      Make contrib/amcheck skip unlogged tables
      when running on a standby server (Mark Dilger)
     
It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.
      Change contrib/pg_stat_statements to read
      its “query texts” file in units of at most 1GB
      (Tom Lane)
     
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
      Fix null-pointer crash
      when contrib/postgres_fdw tries to report a
      data conversion error (Tom Lane)
     
      Ensure that GetSharedSecurityLabel() can be
      used in a newly-started session that has not yet built its critical
      relation cache entries (Jeff Davis)
     
      When running a TAP test, include the module's own directory
      in PATH (Andrew Dunstan)
     
This allows tests to find built programs that are not installed, such as custom test drivers.
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
      When running on Windows, initdb attempts
      to set the new cluster's timezone parameter to
      the IANA time zone matching the system's prevailing time zone.
      We were using a mapping table that we'd generated years ago and
      updated only fitfully; unsurprisingly, it contained a number of
      errors as well as omissions of recently-added zones.  It turns out
      that CLDR has been tracking the most appropriate mappings, so start
      using their data.  This change will not affect any existing
      installation, only newly-initialized clusters.
     
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.