PostgreSQL (64-bit) 歷史舊版本 Page17

更新時間：2016-08-11
更新細節：

What's new in this version:

Two security holes have been closed by this release:
- CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
- CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall. The fix for the second issue also adds an option, -reuse-previous, to psql's connect command. pg_dumpall will also refuse to handle database and role names containing line breaks after the update. For more information on these issues and how they affect backwards-compatibility, see the Release Notes.

Bug Fixes and Improvements:
- This update also fixes a number of bugs reported in the last few months. Some of these issues affect only version 9.5, but many affect all supported versions
- Fix misbehaviors of IS NULL/IS NOT NULL with composite values
- Fix three areas where INSERT ... ON CONFLICT failed to work properly with other SQL features
- Make INET and CIDR data types properly reject bad IPv6 values
- Prevent crash in "point ## lseg" operator for NaN input
- Avoid possible crash in pg_get_expr()
- Fix several one-byte buffer over-reads in to_number()
- Don't needlessly plan query if WITH NO DATA is specified
- Avoid crash-unsafe state in expensive heap_update() paths
- Fix hint bit update during WAL replay of row locking operations
- Avoid unnecessary "could not serialize access" with FOR KEY SHARE
- Avoid crash in postgres -C when the specified variable is a null string
- Fix two issues with logical decoding and subtransactions
- Ensure that backends see up-to-date statistics for shared catalogs
- Prevent possible failure when vacuuming multixact IDs in an upgraded database
- When a manual ANALYZE specifies columns, don't reset changes_since_analyze
- Fix ANALYZE's overestimation of n_distinct for columns with nulls
- Fix bug in b-tree mark/restore processing
- Fix building of large (bigger than shared_buffers) hash indexes
- Prevent infinite loop in GiST index build with NaN values
- Fix possible crash during a nearest-neighbor indexscan
- Fix "PANIC: failed to add BRIN tuple" error
- Prevent possible crash during background worker shutdown
- Many fixes for issues in parallel pg_dump and pg_restore
- Make pg_basebackup accept -Z 0 as no compression
- Make regression tests safe for Danish and Welsh locales
- The libpq client library has also been updated to support future two-part PostgreSQL version numbers. This update also contains tzdata release 2016f, with updates for Kemerovo, Novosibirsk, Azerbaijan, Belarus, and Morocco

更新時間：2016-05-12
更新細節：

What's new in this version:

- Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
- This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
- Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)
- Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)
- Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
- Fix corner-case parser failures occurring when operator_precedence_warning is turned on (Tom Lane)
- An example is that SELECT (ARRAY[])::text[] gave an error, though it worked without the parentheses.
- Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)
- Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion (Tom Lane)
- The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.
- Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)
- These could advance off the end of the input string, causing subsequent format codes to read garbage.
- Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)
- Disallow newlines in ALTER SYSTEM parameter values (Tom Lane)
- The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.
- Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected (David Rowley)
- Avoid possible misbehavior after failing to remove a tablespace symlink (Tom Lane)
- Fix crash in logical decoding on alignment-picky platforms (Tom Lane, Andres Freund)
- The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.
- Avoid repeated requests for feedback from receiver while shutting down walsender (Nick Cleaton)
- Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)
- This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.
- Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)
- In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
- Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)
- pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.
- Fix atomic operations for PPC when using IBM's XLC compiler (Noah Misch)
- Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)
- Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)
- Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane)
- Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)
- Support building with Visual Studio 2015 (Michael Paquier, Petr Jelínek)
- Fix putenv() to work properly with Visual Studio 2013 (Michael Paquier)
- Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich)
- Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
- Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.

更新時間：2016-04-01
更新細節：

What's new in this version:

- A dump/restore is not required for those running 9.5.X.
- However, you may need to REINDEX some indexes after applying the update, as per the first changelog entry below.

Changes:
- Disable abbreviated keys for string sorting in non-C locales (Robert Haas)
- PostgreSQL 9.5 introduced logic for speeding up comparisons of string data types by using the standard C library function strxfrm() as a substitute for strcoll(). It now emerges that most versions of glibc (Linux's implementation of the C library) have buggy implementations of strxfrm() that, in some locales, can produce string comparison results that do not match strcoll(). Until this problem can be better characterized, disable the optimization in all non-C locales. (C locale is safe since it uses neither strcoll() nor strxfrm().)
- Unfortunately, this problem affects not only sorting but also entry ordering in B-tree indexes, which means that B-tree indexes on text, varchar, or char columns may now be corrupt if they sort according to an affected locale and were built or modified under PostgreSQL 9.5.0 or 9.5.1. Users should REINDEX indexes that might be affected.
- It is not possible at this time to give an exhaustive list of known-affected locales. C locale is known safe, and there is no evidence of trouble in English-based locales such as en_US, but some other popular locales such as de_DE are affected in most glibc versions.
- Maintain row-security status properly in cached plans (Stephen Frost)
- In a session that performs queries as more than one role, the plan cache might incorrectly re-use a plan that was generated for another role ID, thus possibly applying the wrong set of policies when row-level security (RLS) is in use. (CVE-2016-2193)
- Add must-be-superuser checks to some new contrib/pageinspect functions (Andreas Seltenreich)
- Most functions in the pageinspect extension that inspect bytea values disallow calls by non-superusers, but brin_page_type() and brin_metapage_info() failed to do so. Passing contrived bytea values to them might crash the server or disclose a few bytes of server memory. Add the missing permissions checks to prevent misuse. (CVE-2016-3065)
- Fix incorrect handling of indexed ROW() comparisons (Simon Riggs)
- Flaws in a minor optimization introduced in 9.5 caused incorrect results if the ROW() comparison matches the index ordering partially but not exactly (for example, differing column order, or the index contains both ASC and DESC columns). Pending a better solution, the optimization has been removed.
- Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
- An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
- Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)
- Fix incorrect behavior when rechecking a just-modified row in a query that does SELECT FOR UPDATE/SHARE and contains some relations that need not be locked (Tom Lane)
- Rows from non-locked relations were incorrectly treated as containing all NULLs during the recheck, which could result in incorrectly deciding that the updated row no longer passes the WHERE condition, or in incorrectly outputting NULLs.
- Fix bug in json_to_record() when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)
- Fix nonsense result from two-argument form of jsonb_object() when called with empty arrays (Michael Paquier, Andrew Dunstan)
- Fix misbehavior in jsonb_set() when converting a path array element into an integer for use as an array subscript (Michael Paquier)
- Fix misformatting of negative time zone offsets by to_char()'s OF format code (Thomas Munro, Tom Lane)
- Fix possible incorrect logging of waits done by INSERT ... ON CONFLICT (Peter Geoghegan)
- Log messages would sometimes claim that the wait was due to an exclusion constraint although no such constraint was responsible.
- Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)
- Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.
- Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
- Fix assorted bugs in logical decoding (Andres Freund)
- Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.
- Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)
- Fix memory leak in GIN index searches (Tom Lane)
- Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)
- Fix parsing of affix files for ispell dictionaries (Tom Lane)
- The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
- Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)
- This dodges a portability problem on FreeBSD-derived platforms (including OS X).
- Fix atomic-operations code used on PPC with IBM's xlc compiler (Noah Misch)
- This error led to rare failures of concurrent operations on that platform.
- Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
- This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
- Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
- Fix psql's tab completion for SECURITY LABEL (Tom Lane)
- Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
- Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
- This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
- Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
- The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
- Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
- In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)
- Blind application of the script in such cases would result in loss of the new data directory.
- In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
- Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
- Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)
- Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
- Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).

更新時間：2016-02-11
更新細節：

What's new in this version:

- Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
- Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)
- Fix an oversight that caused hash joins to miss joining to some tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)
- Avoid pushdown of HAVING clauses when grouping sets are used (Andrew Gierth)
- Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter Geoghegan)
- Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
- Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
- Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
- Fix psql's det command to interpret its pattern argument the same way as other d commands with potentially schema-qualified patterns do (Reece Hart)
- In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
- Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
- Fix improper quoting of domain constraint names in pg_dump (Elvis Pranskevichus)
- Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
- Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
- Suppress useless warning message when pg_receivexlog connects to a pre-9.4 server (Marco Nenciarini)
- Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
- In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
- Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
- Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
- This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
- Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
- Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
- Fix hstore_to_json_loose()'s test for whether an hstore value can be converted to a JSON number (Tom Lane)
- Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
- In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)
- Fix ill-advised restriction of NAMEDATALEN to be less than 256 (Robert Haas, Tom Lane)
- Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
- This avoids possible bitwise differences in the produced executable files from one build to the next.
- Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
- Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.

更新時間：2016-01-08
更新細節：

What's new in this version:

- Allow INSERTs that would generate constraint conflicts to be turned into UPDATEs or ignored
- Add GROUP BY analysis features GROUPING SETS, CUBE and ROLLUP
- Add row-level security control
- Create mechanisms for tracking the progress of replication, including methods for identifying the origin of individual changes during logical replication
- Add Block Range Indexes (BRIN)
- Substantial performance improvements for sorting
- Substantial performance improvements for multi-CPU machines

更新時間：2015-10-08
更新細節：

What's new in this version:

- A dump/restore is not required for those running 9.4.X.
- However, if you are upgrading from a version earlier than 9.4.4, see Section E.2.

CHANGES:
- Guard against stack overflows in json parsing (Oskari Saarenmaa)
- If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)
- Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)
- Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)
- Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
- A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
- Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)
- Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
- Fix insertion of relations into the relation cache "init file" (Tom Lane)
- An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
- Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
- Improve LISTEN startup time when there are many unread notifications (Matt Newell)
- Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
- This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
- Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
- While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
- Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
- This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
- Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
- Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
- Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
- Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
- Fix handling of DOW and DOY in datetime input (Greg Stark)
- These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
- Add more query-cancel checks to regular expression matching (Tom Lane)
- Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
- Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
- Fix potential infinite loop in regular expression execution (Tom Lane)
- A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
- In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
- Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
- Fix low-probability memory leak during regular expression execution (Tom Lane)
- Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
- Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
- Fix very-low-probability stack overrun in qsort (Tom Lane)
- Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
- Fix assorted planner bugs (Tom Lane)
- These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
- Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
- Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
- This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
- During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
- This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
- Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)
- Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
- Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
- If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
- Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
- Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
- Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)
- Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
- Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
- Such a page might be left behind after a crash.
- Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
- VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
- Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
- Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
- Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
- Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
- Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)
- In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
- EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
- Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)
- The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
- Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
- The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
- Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
- Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
- Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
- The formatting code invoked by pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
- Prevent crash in psql's c command when there is no current connection (Noah Misch)
- Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
- Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
- Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
- Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
- Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
- When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
- Fix pg_dump to dump shell types (Tom Lane)
- Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
- Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
- Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)
- Fix spinlock assembly code for Alpha hardware (Tom Lane)
- Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
- Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
- On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
- On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
- Perl relies on this ability in 5.8.0 and later.
- Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
- Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)
- Translate encoding UHC as Windows code page 949 (Noah Misch)
- This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
- On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)
- Fix postmaster startup failure due to not copying setlocale()'s return value (Noah Misch)
- This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
- Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
- Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
- Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

更新時間：2015-06-13
更新細節：

What's new in this version:

Changes:
Fix possible failure to recover from an inconsistent database state:
- Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4.
- The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release.

In detail:
- Check whether pg_controldata reports "Latest checkpoint's oldestMultiXid" to be 1. If not, there's nothing to do.
- Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do.
- Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both vacuum_multixact_freeze_min_age and vacuum_multixact_freeze_table_age set to zero. (You can use the vacuum cost delay parameters described in Section 18.4.4 to reduce the performance consequences for concurrent sessions.)

Fix rare failure to invalidate relation cache init file:
- With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.

Avoid deadlock between incoming sessions and CREATE/DROP DATABASE:
- A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.

Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans:
- This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type.

更新時間：2015-06-05
更新細節：

What's new in this version:

- Avoid failures while fsync'ing data directory during crash restart
- In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing.
- Also apply the same rules in initdb --sync-only. This case is less critical but it should act similarly.
- Fix pg_get_functiondef() to show functions' LEAKPROOF property, if set
- Fix pushJsonbValue() to unpack jbvBinary objects (Andrew Dunstan)
- This change does not affect any behavior in the core code as of 9.4, but it avoids a corner case for possible third-party callers.
- Remove configure's check prohibiting linking to a threaded libpython on OpenBSD
- The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.

更新時間：2015-05-24
更新細節：

What's new in this version:

Migration to Version 9.4.2:
- A dump/restore is not required for those running 9.4.X.
- However, if you use contrib/citext's regexp_matches() functions, see the changelog entry below about that.
- Also, if you are upgrading from a version earlier than 9.4.1, see Section E.2. Changes:
- Avoid possible crash when client disconnects just before the authentication timeout expires
- If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue.
- Improve detection of system-call failures
- Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure.
- It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area.
- In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data"
- Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message.
- Protect against wraparound of multixact member IDs
- Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound.
- Fix incorrect declaration of contrib/citext's regexp_matches() functions
- These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
- While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also "update" back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions.
- Render infinite dates and timestamps as infinity when converting to json, rather than throwing an error
- Fix json/jsonb's populate_record() and to_record() functions to handle empty input properly
- Fix incorrect checking of deferred exclusion constraints after a HOT update
- If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
- Fix behavior when changing foreign key constraint deferrability status with ALTER TABLE ... ALTER CONSTRAINT
- Operations later in the same session or concurrent sessions might not honor the status change promptly.
- Fix planning of star-schema-style queries
- Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.
- Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins
- This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
- Fix incorrect matching of subexpressions in outer-join plan nodes
- Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
- Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
- This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
- Ensure that row locking occurs properly when the target of an UPDATE or DELETE is a security-barrier view
- Use a file opened for read/write when syncing replication slot data during database startup
- On some platforms, the previous coding could result in errors like "could not fsync file "pg_replslot/...": Bad file descriptor".
- Fix possible deadlock at startup when max_prepared_transactions is too small
- Don't archive useless preallocated WAL files after a timeline switch
- Recursively fsync() the data directory after a crash
- This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
- Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM
- Fix failure to handle invalidation messages for system catalogs early in session startup
- This oversight could result in failures in sessions that start concurrently with a VACUUM FULL on a system catalog.
- Fix crash in BackendIdGetTransactionIds() when trying to get status for a backend process that just exited
- Cope with unexpected signals in LockBufferForCleanup()
- This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
- Fix crash when doing COPY IN to a table with check constraints that contain whole-row references
- The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.
- Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned
- Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
- Avoid busy-waiting with short recovery_min_apply_delay values
- Fix crash when manipulating hash indexes on temporary tables
- Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently
- Fix memory leaks in GIN index vacuum
- Check for interrupts while analyzing index expressions
- ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
- Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE
- Add the name of the target server to object description strings for foreign-server user mappings
- Include the schema name in object identity strings for conversions
- Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication
- Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
- Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses
- This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
- Fix status reporting for terminated background workers that were never actually started
- After a database crash, don't restart background workers that are marked BGW_NEVER_RESTART
- Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command
- This avoids a possible startup failure in pg_receivexlog.
- While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown
- Reduce risk of network deadlock when using libpq's non-blocking mode
- When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready.
- In libpq, fix misparsing of empty values in URI connection strings
- Fix array handling in ecpg
- Fix psql to sanely handle URIs and conninfo strings as the first parameter to connect
- This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
- Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit
- This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
- Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped
- In pg_dump, fix failure to honor -Z compression level option together with -Fd
- Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order
- This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
- Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions
- Fix dumping of views that are just VALUES(...) but have column aliases
- Ensure that a view's replication identity is correctly set to nothing during dump/restore
- Previously, if the view was involved in a circular dependency, it might wind up with an incorrect replication identity property.
- In pg_upgrade, force timeline 1 in the new cluster
- This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
- In pg_upgrade, check for improperly non-connectable databases before proceeding
- In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script
- In pg_upgrade, preserve database-level freezing info properly
- This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
- Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator
- Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup
- Fix slow sorting algorithm in contrib/intarray
- Fix compile failure on Sparc V8 machines
- Silence some build warnings on OS X
- Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).

更新時間：2015-02-08
更新細節：

What's new in this version:

Fix buffer overruns in to_char() (Bruce Momjian):
- When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241)

Fix buffer overrun in replacement *printf() functions (Tom Lane):
- PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)

Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch):
- Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243)

Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas):
- If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)

Fix information leak via constraint-violation error messages (Stephen Frost):
- Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161)

Lock down regression testing's temporary installations on Windows (Noah Misch):
- Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)

Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane):
- In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.

Fix jsonb Unicode escape processing, and in consequence disallow u0000 (Tom Lane):
- Previously, the JSON Unicode escape u0000 was accepted and was stored as those six characters; but that is indistinguishable from what is stored for the input u0000, resulting in ambiguity. Moreover, in cases where de-escaped textual output is expected, such as the ->> operator, the sequence was printed as u0000, which does not meet the expectation that JSON escaping would be removed. (Consistent behavior would require emitting a zero byte, but PostgreSQL does not support zero bytes embedded in text strings.) 9.4.0 included an ill-advised attempt to improve this situation by adjusting JSON output conversion rules; but of course that could not fix the fundamental ambiguity, and it turned out to break other usages of Unicode escape sequences. Revert that, and to avoid the core problem, reject u0000 in jsonb input. If a jsonb column contains a u0000 value stored with 9.4.0, it will henceforth read out as though it were u0000, which is the other valid interpretation of the data stored by 9.4.0 for this case. The json type did not have the storage-ambiguity problem, but it did have the problem of inconsistent de-escaped textual output. Therefore u0000 will now also be rejected in json values when conversion to de-escaped form is required. This change does not break the ability to store u0000 in json columns so long as no processing is done on the values. This is exactly parallel to the cases in which non-ASCII Unicode escapes are allowed when the database encoding is not UTF8.

Fix namespace handling in xpath() (Ali Akbar):
- Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation.

Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli):
- This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases.

Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas):
- 9.4.0 could fail with "index row size exceeds maximum" errors for data that previous versions would accept.

Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane):
- This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".

Fix libpq's behavior when /etc/passwd isn't readable (Tom Lane):
- While doing PQsetdbLogin(), libpq attempts to ascertain the user's operating system name, which on most Unix platforms involves reading /etc/passwd. As of 9.4, failure to do that was treated as a hard error. Restore the previous behavior, which was to fail only if the application does not provide a database role name to connect as. This supports operation in chroot environments that lack an /etc/passwd file.
- Improve consistency of parsing of psql's special variables (Tom Lane):
- Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
- Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier): connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further.
- Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier):
- These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.

Allow CFLAGS from configure's environment to override automatically-supplied CFLAGS (Tom Lane):
- Previously, configure would add any switches that it chose of its own accord to the end of the user-specified CFLAGS string. Since most compilers process switches left-to-right, this meant that configure's choices would override the user-specified flags in case of conflicts. That should work the other way around, so adjust the logic to put the user's string at the end not the beginning.

Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane):
- This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.

Miscellaneous changes:
- Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane)
- Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland. Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood)
- Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera)
- Improve performance of EXPLAIN with large range tables (Tom Lane)
- Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas)
- Fix possible crash when using nonzero gin_fuzzy_search_limit (Heikki Linnakangas)
- Assorted fixes for logical decoding (Andres Freund)
- Fix incorrect replay of WAL parameter change records that report changes in the wal_log_hints setting (Petr Jalinek)
- Warn if OS X's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch)
- Fix pg_dump to handle comments on event triggers without failing (Tom Lane)
- Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner)
- Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)