1. 07 Aug, 2017 10 commits
    • Tom Lane's avatar
      Last-minute updates for release notes. · a8b37ebe
      Tom Lane authored
      Security: CVE-2017-7546, CVE-2017-7547, CVE-2017-7548
      a8b37ebe
    • Peter Eisentraut's avatar
      Fix local/remote attribute mix-up in logical replication · fca17a93
      Peter Eisentraut authored
      This would lead to failures if local and remote tables have a different
      column order.  The tests previously didn't catch that because they only
      tested the initial data copy.  So add another test that exercises the
      apply worker.
      
      Author: Petr Jelinek <petr.jelinek@2ndquadrant.com>
      fca17a93
    • Peter Eisentraut's avatar
      Fix handling of dropped columns in logical replication · 0e58455d
      Peter Eisentraut authored
      The relation attribute map was not initialized for dropped columns,
      leading to errors later on.
      
      Author: Petr Jelinek <petr.jelinek@2ndquadrant.com>
      Reported-by: default avatarScott Milliken <scott@deltaex.com>
      Bug: #14769
      0e58455d
    • Tom Lane's avatar
      Require update permission for the large object written by lo_put(). · 8d988191
      Tom Lane authored
      lo_put() surely should require UPDATE permission, the same as lowrite(),
      but it failed to check for that, as reported by Chapman Flack.  Oversight
      in commit c50b7c09; backpatch to 9.4 where that was introduced.
      
      Tom Lane and Michael Paquier
      
      Security: CVE-2017-7548
      8d988191
    • Noah Misch's avatar
      Again match pg_user_mappings to information_schema.user_mapping_options. · e568e1ee
      Noah Misch authored
      Commit 3eefc510 claimed to make
      pg_user_mappings enforce the qualifications user_mapping_options had
      been enforcing, but its removal of a longstanding restriction left them
      distinct when the current user is the subject of a mapping yet has no
      server privileges.  user_mapping_options emits no rows for such a
      mapping, but pg_user_mappings includes full umoptions.  Change
      pg_user_mappings to show null for umoptions.  Back-patch to 9.2, like
      the above commit.
      
      Reviewed by Tom Lane.  Reported by Jeff Janes.
      
      Security: CVE-2017-7547
      e568e1ee
    • Heikki Linnakangas's avatar
      Don't allow logging in with empty password. · bf6b9e94
      Heikki Linnakangas authored
      Some authentication methods allowed it, others did not. In the client-side,
      libpq does not even try to authenticate with an empty password, which makes
      using empty passwords hazardous: an administrator might think that an
      account with an empty password cannot be used to log in, because psql
      doesn't allow it, and not realize that a different client would in fact
      allow it. To clear that confusion and to be be consistent, disallow empty
      passwords in all authentication methods.
      
      All the authentication methods that used plaintext authentication over the
      wire, except for BSD authentication, already checked that the password
      received from the user was not empty. To avoid forgetting it in the future
      again, move the check to the recv_password_packet function. That only
      forbids using an empty password with plaintext authentication, however.
      MD5 and SCRAM need a different fix:
      
      * In stable branches, check that the MD5 hash stored for the user does not
      not correspond to an empty string. This adds some overhead to MD5
      authentication, because the server needs to compute an extra MD5 hash, but
      it is not noticeable in practice.
      
      * In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
      string, or a password hash that corresponds to an empty string, is
      specified. The user-visible behavior is the same as in the stable branches,
      the user cannot log in, but it seems better to stop the empty password from
      entering the system in the first place. Secondly, it is fairly expensive to
      check that a SCRAM hash doesn't correspond to an empty string, because
      computing a SCRAM hash is much more expensive than an MD5 hash by design,
      so better avoid doing that on every authentication.
      
      We could clear the password on CREATE/ALTER ROLE also in stable branches,
      but we would still need to check at authentication time, because even if we
      prevent empty passwords from being stored in pg_authid, there might be
      existing ones there already.
      
      Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
      
      Security: CVE-2017-7546
      bf6b9e94
    • Peter Eisentraut's avatar
      Fix function name in code comment · 86524f03
      Peter Eisentraut authored
      Reported-by: default avatarPeter Geoghegan <pg@bowt.ie>
      86524f03
    • Peter Eisentraut's avatar
    • Peter Eisentraut's avatar
      Downgrade subscription refresh messages to DEBUG1 · 6f81306e
      Peter Eisentraut authored
      The NOTICE messages about tables being added or removed during
      subscription refresh would be incorrect and possibly confusing if the
      transaction rolls back, so silence them but keep them available for
      debugging.
      
      Discussion: https://www.postgresql.org/message-id/CAD21AoAvaXizc2h7aiNyK_i0FQSa-tmhpdOGwbhh7Jy544Ad4Q%40mail.gmail.com
      6f81306e
    • Tom Lane's avatar
      Update RELEASE_CHANGES' example of branch name format. · 655727d9
      Tom Lane authored
      We're planning to put an underscore before the major version number in
      branch names for v10 and later.  Make sure the recipe in RELEASE_CHANGES
      reflects that.
      
      In passing, add a reminder to consider doing pgindent right before
      the branch.
      
      Discussion: https://postgr.es/m/E1dAkjZ-0003MG-0U@gemulon.postgresql.org
      655727d9
  2. 06 Aug, 2017 2 commits
  3. 05 Aug, 2017 8 commits
  4. 04 Aug, 2017 7 commits
    • Robert Haas's avatar
      hash: Immediately after a bucket split, try to clean the old bucket. · ff98a5e1
      Robert Haas authored
      If it works, then we won't be storing two copies of all the tuples
      that were just moved.  If not, VACUUM will still take care of it
      eventually.  Per a report from AP and analysis from Amit Kapila, it
      seems that a bulk load can cause splits fast enough that VACUUM won't
      deal with the problem in time to prevent bloat.
      
      Amit Kapila; I rewrote the comment.
      
      Discussion: http://postgr.es/m/20170704105728.mwb72jebfmok2nm2@zip.com.au
      ff98a5e1
    • Tom Lane's avatar
      First-draft release notes for 9.6.4. · 03378c4d
      Tom Lane authored
      As usual, the release notes for other branches will be made by cutting
      these down, but put them up for community review first.
      03378c4d
    • Peter Eisentraut's avatar
      Message style improvements · 26d40ada
      Peter Eisentraut authored
      26d40ada
    • Robert Haas's avatar
      hash: Increase the number of possible overflow bitmaps by 8x. · 620b49a1
      Robert Haas authored
      Per a report from AP, it's not that hard to exhaust the supply of
      bitmap pages if you create a table with a hash index and then insert a
      few billion rows - and then you start getting errors when you try to
      insert additional rows.  In the particular case reported by AP,
      there's another fix that we can make to improve recycling of overflow
      pages, which is another way to avoid the error, but there may be other
      cases where this problem happens and that fix won't help.  So let's
      buy ourselves as much headroom as we can without rearchitecting
      anything.
      
      The comments claim that the old limit was 64GB, but it was really
      only 32GB, because we didn't use all the bits in the page for bitmap
      bits - only the largest power of 2 that could fit after deducting
      space for the page header and so forth.  Thus, we have 4kB per page
      for bitmap bits, not 8kB.  The new limit is thus actually 8 times the
      old *real* limit but only 4 times the old *purported* limit.
      
      Since this breaks on-disk compatibility, bump HASH_VERSION.  We've
      already done this earlier in this release cycle, so this doesn't cause
      any incremental inconvenience for people using pg_upgrade from
      releases prior to v10.  However, users who use pg_upgrade to reach
      10beta3 or later from 10beta2 or earlier will need to REINDEX any hash
      indexes again.
      
      Amit Kapila and Robert Haas
      
      Discussion: http://postgr.es/m/20170704105728.mwb72jebfmok2nm2@zip.com.au
      620b49a1
    • Tom Lane's avatar
      Apply ALTER ... SET NOT NULL recursively in ALTER ... ADD PRIMARY KEY. · c30f1770
      Tom Lane authored
      If you do ALTER COLUMN SET NOT NULL against an inheritance parent table,
      it will recurse to mark all the child columns as NOT NULL as well.  This
      is necessary for consistency: if the column is labeled NOT NULL then
      reading it should never produce nulls.
      
      However, that didn't happen in the case where ALTER ... ADD PRIMARY KEY
      marks a target column NOT NULL that wasn't before.  That was questionable
      from the beginning, and now Tushar Ahuja points out that it can lead to
      dump/restore failures in some cases.  So let's make that case recurse too.
      
      Although this is meant to fix a bug, it's enough of a behavioral change
      that I'm pretty hesitant to back-patch, especially in view of the lack
      of similar field complaints.  It doesn't seem to be too late to put it
      into v10 though.
      
      Michael Paquier, editorialized on slightly by me
      
      Discussion: https://postgr.es/m/b8794d6a-38f0-9d7c-ad4b-e85adf860fc9@enterprisedb.com
      c30f1770
    • Tom Lane's avatar
      Disallow SSL session tickets. · 97d3a0b0
      Tom Lane authored
      We don't actually support session tickets, since we do not create an SSL
      session identifier.  But it seems that OpenSSL will issue a session ticket
      on-demand anyway, which will then fail when used.  This results in
      reconnection failures when using ticket-aware client-side SSL libraries
      (such as the Npgsql .NET driver), as reported by Shay Rojansky.
      
      To fix, just tell OpenSSL not to issue tickets.  At some point in the
      far future, we might consider enabling tickets instead.  But the security
      implications of that aren't entirely clear; and besides it would have
      little benefit except for very short-lived database connections, which is
      Something We're Bad At anyhow.  It would take a lot of other work to get
      to a point where that would really be an exciting thing to do.
      
      While at it, also tell OpenSSL not to use a session cache.  This doesn't
      really do anything, since a backend would never populate the cache anyway,
      but it might gain some micro-efficiencies and/or reduce security
      exposures.
      
      Patch by me, per discussion with Heikki Linnakangas and Shay Rojansky.
      Back-patch to all supported versions.
      
      Discussion: https://postgr.es/m/CADT4RqBU8N-csyZuzaook-c795dt22Zcwg1aHWB6tfVdAkodZA@mail.gmail.com
      97d3a0b0
    • Peter Eisentraut's avatar
      Further unify ROLE and USER command grammar rules · b3744812
      Peter Eisentraut authored
      ALTER USER ... SET did not support all the syntax variants of ALTER ROLE
      ...  SET.  Fix that, and to avoid further deviations of this kind, unify
      many the grammar rules for ROLE/USER/GROUP commands.
      Reported-by: default avatarPavel Golub <pavel@microolap.com>
      b3744812
  5. 03 Aug, 2017 8 commits
  6. 02 Aug, 2017 5 commits
    • Alvaro Herrera's avatar
      Fix pg_dump's errno checking for zlib I/O · 4d57e838
      Alvaro Herrera authored
      Some error reports were reporting strerror(errno), which for some error
      conditions coming from zlib are wrong, resulting in confusing reports
      such as
        pg_restore: [compress_io] could not read from input file: Success
      which makes no sense.  To correctly extract the error message we need to
      use gzerror(), so let's do that.
      
      This isn't as comprehensive or as neat as I would like, but at least it
      should improve things in many common cases.  The zlib abstraction in
      compress_io does not seem to be applied consistently enough; we could
      perhaps improve that, but it seems master-only material, not a bug fix
      for back-patching.
      
      This problem goes back all the way, but I decided to apply back to 9.4
      only, because older branches don't contain commit 14ea8936 which this
      change depends on.
      
      Authors: Vladimir Kunschikov, Álvaro Herrera
      Discussion: https://postgr.es/m/1498120508308.9826@infotecs.ru
      4d57e838
    • Tom Lane's avatar
      Add pgtcl back to the list of externally-maintained client interfaces. · 80215156
      Tom Lane authored
      FlightAware is still maintaining this, and indeed is seemingly being
      more active with it than the pgtclng fork is.  List both, for the
      time being anyway.
      
      In the back branches, also back-port commit e20f679f and other
      recent updates to the client-interfaces list.  I think these are
      probably of current interest to users of back branches.  I did
      not touch the list of externally maintained PLs in the back
      branches, though.  Those are much more likely to be server version
      sensitive, and I don't know which of these PLs work all the way back.
      
      Discussion: https://postgr.es/m/20170730162612.1449.58796@wrigleys.postgresql.org
      80215156
    • Tom Lane's avatar
      Remove broken and useless entry-count printing in HASH_DEBUG code. · 9d4e5669
      Tom Lane authored
      init_htab(), with #define HASH_DEBUG, prints a bunch of hashtable
      parameters.  It used to also print nentries, but commit 44ca4022 changed
      that to "hash_get_num_entries(hctl)", which is wrong (the parameter should
      be "hashp").
      
      Rather than correct the coding, though, let's just remove that field from
      the printout.  The table must be empty, since we just finished building
      it, so expensively calculating the number of entries is rather pointless.
      Moreover hash_get_num_entries makes assumptions (about not needing locks)
      which we could do without in debugging code.
      
      Noted by Choi Doo-Won in bug #14764.  Back-patch to 9.6 where the
      faulty code was introduced.
      
      Discussion: https://postgr.es/m/20170802032353.8424.12274@wrigleys.postgresql.org
      9d4e5669
    • Peter Eisentraut's avatar
      Get a snapshot before COPY in table sync · cf652018
      Peter Eisentraut authored
      This fixes a crash if the local table has a function index and the
      function makes non-immutable calls.
      Reported-by: default avatarScott Milliken <scott@deltaex.com>
      Author: Masahiko Sawada <sawada.mshk@gmail.com>
      cf652018
    • Tom Lane's avatar
      Remove duplicate setting of SSL_OP_SINGLE_DH_USE option. · f352f91c
      Tom Lane authored
      Commit c0a15e07 moved the setting of OpenSSL's SSL_OP_SINGLE_DH_USE option
      into a new subroutine initialize_dh(), but forgot to remove it from where
      it was.  SSL_CTX_set_options() is a trivial function, amounting indeed to
      just "ctx->options |= op", hence there's no reason to contort the code or
      break separation of concerns to avoid calling it twice.  So separating the
      DH setup from disabling of old protocol versions is a good change, but we
      need to finish the job.
      
      Noted while poking into the question of SSL session tickets.
      f352f91c