Release date: 2018-03-01
This release contains a variety of fixes from 9.3.21. For information about new features in the 9.3 major release, see Section E.84.
A dump/restore is not required for those running 9.3.X.
However, if you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure.
Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions.
Also, if you are upgrading from a version earlier than 9.3.18, see Section E.66.
Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users (Noah Misch)
      Using a search_path setting that includes any
      schemas writable by a hostile user enables that user to capture
      control of queries and then run arbitrary SQL code with the
      permissions of the attacked user.  While it is possible to write
      queries that are proof against such hijacking, it is notationally
      tedious, and it's very easy to overlook holes.  Therefore, we now
      recommend configurations in which no untrusted schemas appear in
      one's search path.  Relevant documentation appears in
      Section 5.8.6 (for database administrators and users),
      Section 34.1 (for application authors),
      Section 38.16.1  (for extension authors), and
      CREATE FUNCTION (for authors
      of SECURITY DEFINER functions).
      (CVE-2018-1058)
     
      Avoid use of insecure search_path settings
      in pg_dump and other client programs
      (Noah Misch, Tom Lane)
     
      pg_dump,
      pg_upgrade,
      vacuumdb and
      other PostgreSQL-provided applications were
      themselves vulnerable to the type of hijacking described in the previous
      changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets.  To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog
      schema in their search_path settings.
      Autovacuum worker processes now do the same, as well.
     
      In cases where user-provided functions are indirectly executed by
      these programs — for example, user-provided functions in index
      expressions — the tighter search_path may
      result in errors, which will need to be corrected by adjusting those
      user-provided functions to not assume anything about what search path
      they are invoked under.  That has always been good practice, but now
      it will be necessary for correct behavior.
      (CVE-2018-1058)
     
Fix misbehavior of concurrent-update rechecks with CTE references appearing in subplans (Tom Lane)
      If a CTE (WITH clause reference) is used in an
      InitPlan or SubPlan, and the query requires a recheck due to trying
      to update or lock a concurrently-updated row, incorrect results could
      be obtained.
     
Fix planner failures with overlapping mergejoin clauses in an outer join (Tom Lane)
These mistakes led to “left and right pathkeys do not match in mergejoin” or “outer pathkeys do not match mergeclauses” planner errors in corner cases.
      Repair pg_upgrade's failure to
      preserve relfrozenxid for materialized
      views (Tom Lane, Andres Freund)
     
      This oversight could lead to data corruption in materialized views
      after an upgrade, manifesting as “could not access status of
      transaction” or “found xmin from before
      relfrozenxid” errors.  The problem would be more likely to
      occur in seldom-refreshed materialized views, or ones that were
      maintained only with REFRESH MATERIALIZED VIEW
      CONCURRENTLY.
     
      If such corruption is observed, it can be repaired by refreshing the
      materialized view (without CONCURRENTLY).
     
      Fix incorrect reporting of PL/Python function names in
      error CONTEXT stacks (Tom Lane)
     
      An error occurring within a nested PL/Python function call (that is,
      one reached via a SPI query from another PL/Python function) would
      result in a stack trace showing the inner function's name twice,
      rather than the expected results.  Also, an error in a nested
      PL/Python DO block could result in a null pointer
      dereference crash on some platforms.
     
      Allow contrib/auto_explain's
      log_min_duration setting to range up
      to INT_MAX, or about 24 days instead of 35 minutes
      (Tom Lane)