Release Notes

Harden PQescapeString and allied functions against invalidly-encoded input strings (Andres Freund, Noah Misch) § § § § § §

Data-quoting functions supplied by libpq now fully check the encoding validity of their input. If invalid characters are detected, they report an error if possible. For the ones that lack an error return convention, the output string is adjusted to ensure that the server will report invalid encoding and no intervening processing will be fooled by bytes that might happen to match single quote, backslash, etc.

The purpose of this change is to guard against SQL-injection attacks that are possible if one of these functions is used to quote crafted input. There is no hazard when the resulting string is sent directly to a PostgreSQL server (which would check its encoding anyway), but there is a risk when it is passed through psql or other client-side code. Historically such code has not carefully vetted encoding, and in many cases it's not clear what it should do if it did detect such a problem.

This fix is effective only if the data-quoting function, the server, and any intermediate processing agree on the character encoding that's being used. Applications that insert untrusted input into SQL commands should take special care to ensure that that's true.

Applications and drivers that quote untrusted input without using these libpq functions may be at risk of similar problems. They should first confirm the data is valid in the encoding expected by the server.

The PostgreSQL Project thanks Stephen Fewer for reporting this problem. (CVE-2025-1094)

Exclude parallel workers from connection privilege checks and limits (Tom Lane) §

Do not check datallowconn, rolcanlogin, and ACL_CONNECT privileges when starting a parallel worker, instead assuming that it's enough for the leader process to have passed similar checks originally. This avoids, for example, unexpected failures of parallelized queries when the leader is running as a role that lacks login privilege. In the same vein, enforce ReservedConnections, datconnlimit, and rolconnlimit limits only against regular backends, and count only regular backends while checking if the limits were already reached. Those limits are meant to prevent excessive consumption of process slots for regular backends --- but parallel workers and other special processes have their own pools of process slots with their own limit checks.

Fix possible re-use of stale results in window aggregates (David Rowley) §

A window aggregate with a “run condition” optimization and a pass-by-reference result type might incorrectly return the result from the previous partition instead of performing a fresh calculation.

Keep TransactionXmin in sync with MyProc->xmin (Heikki Linnakangas) §

This oversight could permit a process to try to access data that had already been vacuumed away. One known consequence is transient “could not access status of transaction” errors.

Fix race condition that could cause failure to add a newly-inserted catalog entry to a catalog cache list (Heikki Linnakangas) §

This could result, for example, in failure to use a newly-created function within an existing session.

Prevent possible catalog corruption when a system catalog is vacuumed concurrently with an update (Noah Misch) §

Fix data corruption when relation truncation fails (Thomas Munro) § § §

The filesystem calls needed to perform relation truncation could fail, leaving inconsistent state on disk (for example, effectively reviving deleted data). We can't really prevent that, but we can recover by dint of making such failures into PANICs, so that consistency is restored by replaying from WAL up to just before the attempted truncation. This isn't a hugely desirable behavior, but such failures are rare enough that it seems an acceptable solution.

Prevent checkpoints from starting during relation truncation (Robert Haas) §

This avoids a race condition wherein the modified file might not get fsync'd before completing the checkpoint, creating a risk of data corruption if the operating system crashes soon after.

Avoid possibly losing an update of pg_database.datfrozenxid when VACUUM runs concurrently with a REASSIGN OWNED that changes that database's owner (Kirill Reshke) §

Fix incorrect tg_updatedcols values passed to AFTER UPDATE triggers (Tom Lane) §

In some cases the tg_updatedcols bitmap could describe the set of columns updated by an earlier command in the same transaction, fooling the trigger into doing the wrong thing.

Also, prevent memory bloat caused by making too many copies of the tg_updatedcols bitmap.

Fix detach of a partition that has its own foreign-key constraint referencing a partitioned table (Amul Sul) §

In common cases, foreign keys are defined on a partitioned table's top level; but if instead one is defined on a partition and references a partitioned table, and the referencing partition is detached, the relevant pg_constraint entries were updated incorrectly. This led to errors like “could not find ON INSERT check triggers of foreign key constraint”.

Fix mis-processing of to_timestamp's FFn format codes (Tom Lane) §

An integer format code immediately preceding FFn would consume all available digits, leaving none for FFn.

When deparsing an XMLTABLE() expression, ensure that XML namespace names are double-quoted when necessary (Dean Rasheed) §

Include the ldapscheme option in pg_hba_file_rules() output (Laurenz Albe) § §

Don't merge UNION operations if their column collations aren't consistent (Tom Lane) §

Previously we ignored collations when deciding if it's safe to merge UNION steps into a single N-way UNION operation. This was arguably valid before the introduction of nondeterministic collations, but it's not anymore, since the collation in use can affect the definition of uniqueness.

Prevent “wrong varnullingrels” planner errors after pulling up a subquery that's underneath an outer join (Tom Lane) § §

Ignore nulling-relation marker bits when looking up statistics (Richard Guo) §

This oversight could lead to failure to use relevant statistics about expressions, or to “corrupt MVNDistinct entry” errors.

Fix missed expression processing for partition pruning steps (Tom Lane) §

This oversight could lead to “unrecognized node type” errors, and perhaps other problems, in queries accessing partitioned tables.

Allow dshash tables to grow past 1GB (Matthias van de Meent) §

This avoids errors like “invalid DSA memory alloc request size”. The case can occur for example in transactions that process several million tables.

Avoid possible integer overflow in bringetbitmap() (James Hunter, Evgeniy Gorbanyov) §

Since the result is only used for statistical purposes, the effects of this error were mostly cosmetic.

Ensure that an already-set process latch doesn't prevent the postmaster from noticing socket events (Thomas Munro) §

An extremely heavy workload of backends launching workers and workers exiting could prevent the postmaster from responding to incoming client connections in a timely fashion.

Prevent streaming standby servers from looping infinitely when reading a WAL record that crosses pages (Kyotaro Horiguchi, Alexander Kukushkin) §

This would happen when the record's continuation is on a page that needs to be read from a different WAL source.

Fix unintended promotion of FATAL errors to PANIC during early process startup (Noah Misch) §

This fixes some unlikely cases that would result in “PANIC: proc_exit() called in child process”.

Fix cases where an operator family member operator or support procedure could become a dangling reference (Tom Lane) § §

In some cases a data type could be dropped while references to its OID still remain in pg_amop or pg_amproc. While that caused no immediate issues, an attempt to drop the owning operator family would fail, and pg_dump would produce bogus output when dumping the operator family. This fix causes creation and modification of operator families/classes to add needed dependency entries so that dropping a data type will also drop any dependent operator family elements. That does not help vulnerable pre-existing operator families, though, so a band-aid has also been added to DROP OPERATOR FAMILY to prevent failure when dropping a family that has dangling members.

Fix multiple memory leaks in logical decoding output (Vignesh C, Masahiko Sawada, Boyu Yang) § § §

Fix small memory leak when updating the application_name or cluster_name settings (Tofig Aliev) §

Avoid integer overflow while testing wal_skip_threshold condition (Tom Lane) §

A transaction that created a very large relation could mistakenly decide to ensure durability by copying the relation into WAL instead of fsync'ing it, thereby negating the point of wal_skip_threshold. (This only matters when wal_level is set to minimal, else a WAL copy is required anyway.)

Fix unsafe order of operations during cache lookups (Noah Misch) §

The only known consequence was a usually-harmless “you don't own a lock of type ExclusiveLock” warning during GRANT TABLESPACE.

Fix possible “failed to resolve name” failures when using JIT on older ARM platforms (Thomas Munro) §

This could occur as a consequence of inconsistency about the default setting of -moutline-atomics between gcc and clang. At least Debian and Ubuntu are known to ship gcc and clang compilers that target armv8-a but differ on the use of outline atomics by default.

Fix assertion failure in WITH RECURSIVE ... UNION queries (David Rowley) §

Avoid assertion failure in rule deparsing if a set operation leaf query contains set operations (Man Zeng, Tom Lane) §

Avoid edge-case assertion failure in parallel query startup (Tom Lane) §

Fix assertion failure at shutdown when writing out the statistics file (Michael Paquier) §

In NULLIF(), avoid passing a read-write expanded object pointer to the data type's equality function (Tom Lane) §

The equality function could modify or delete the object if it's given a read-write pointer, which would be bad if we decide to return it as the NULLIF() result. There is probably no problem with any built-in equality function, but it's easy to demonstrate a failure with one coded in PL/pgSQL.

Ensure that expression preprocessing is applied to a default null value in INSERT (Tom Lane) §

If the target column is of a domain type, the planner must insert a coerce-to-domain step not just a null constant, and this expression missed going through some required processing steps. There is no known consequence with domains based on core data types, but in theory an error could occur with domains based on extension types.

Repair memory leaks in PL/Python (Mat Arye, Tom Lane) §

Repeated use of PLyPlan.execute or plpy.cursor resulted in memory leakage for the duration of the calling PL/Python function.

Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut) §

In the ecpg preprocessor, fix possible misprocessing of cursors that reference out-of-scope variables (Tom Lane) §

In ecpg, fix compile-time warnings about unsupported use of COPY ... FROM STDIN (Ryo Kanbayashi) §

Previously, the intended warning was not issued due to a typo.

Fix psql to safely handle file path names that are encoded in SJIS (Tom Lane) §

Some two-byte characters in SJIS have a second byte that is equal to ASCII backslash (\). These characters were corrupted by path name normalization, preventing access to files whose names include such characters.

Fix use of wrong version of pqsignal() in pgbench and psql (Fujii Masao, Tom Lane) §

This error could lead to misbehavior when using the -T option in pgbench or the \watch command in psql, due to interrupted system calls not being resumed as expected.

Fix misexecution of some nested \if constructs in pgbench (Michail Nikolaev) §

An \if command appearing within a false (not-being-executed) \if branch was incorrectly treated the same as \elif.

In pgbench, fix possible misdisplay of progress messages during table initialization (Yushi Ogiwara, Tatsuo Ishii, Fujii Masao) § §

Make pg_controldata more robust against corrupted pg_control files (Ilyasov Ian, Anton Voloshin) §

Since pg_controldata will attempt to print the contents of pg_control even if the CRC check fails, it must take care not to misbehave for invalid field values. This patch fixes some issues triggered by invalid timestamps and apparently-negative WAL segment sizes.

Fix possible crash in pg_dump with identity sequences attached to tables that are extension members (Tom Lane) §

Fix memory leak in pg_restore with zstd-compressed data (Tom Lane) §

The leak was per-decompression-operation, so would be most noticeable with a dump containing many tables or large objects.

Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows (Davinder Singh, Thomas Munro) § §

Use SQL-standard function bodies in the declarations of contrib/earthdistance's SQL-language functions (Tom Lane, Ronan Dunklau) §

This change allows their references to contrib/cube to be resolved during extension creation, reducing the risk of search-path-based failures and possible attacks.

In particular, this restores their usability in contexts like generated columns, for which PostgreSQL v17 restricts the search path on security grounds. We have received reports of databases failing to be upgraded to v17 because of that. This patch has been included in v16 to provide a workaround: updating the earthdistance extension to this version beforehand should allow an upgrade to succeed.

Update configuration probes that determine the compiler switches needed to access ARM CRC instructions (Tom Lane) §

On ARM platforms where the baseline CPU target lacks CRC instructions, we need to supply a -march switch to persuade the compiler to compile such instructions. Recent versions of gcc reject the value we were trying, leading to silently falling back to software CRC.

Fix meson build system to support old OpenSSL libraries on Windows (Darek Slusarczyk) §

Add support for the legacy library names ssleay32 and libeay32.

In Windows builds using meson, ensure all libcommon and libpgport functions are exported (Vladlen Popolitov, Heikki Linnakangas) § §

This fixes “unresolved external symbol” build errors for extensions.

Fix meson configuration process to correctly detect OSSP's uuid.h header file under MSVC (Andrew Dunstan) §

When building with meson, install pgevent in pkglibdir not bindir (Peter Eisentraut) §

This matches the behavior of the make-based build system and the old MSVC build system.

When building with meson, install sepgsql.sql under share/contrib/ not share/extension/ (Peter Eisentraut) §

This matches what the make-based build system does.

Update time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines (Tom Lane) §