PostgreSQL: Weekly Recap - Security Fixes and Performance Diagnostics

PostgreSQL development this week focused on critical security fixes for logical replication and temporary table access, alongside enhanced TSC timing diagnostics and several bug fixes across core functionality.

2026-05-17T10:00:54Z

Duration: PT2M27S

https://podlog.io/listen/postgresql-9847372b/episode/postgresql-weekly-recap-security-fixes-and-performance-diagnostics-f174ae62

Transcript

Good morning. This is your PostgreSQL weekly recap for May 10th through 17th, 2026.

Zero pull requests were merged with 30 additional commits this week, reflecting focused development on security and reliability improvements.

Starting with security fixes: Noah Misch addressed a critical vulnerability in logical replication where malicious publishers could trigger heap out-of-bounds reads. The fix replaces assertions with proper error reporting for column count mismatches between RELATION and tuple messages. This has been backpatched through version 14.

Alexander Korotkov resolved a significant security issue where superusers could access other sessions' temporary tables through the streaming I/O path introduced in recent versions. The fix adds proper RELATION_IS_OTHER_TEMP checks at three buffer manager entry points, ensuring consistent access controls across all code paths.

On the performance front, Andres Freund enhanced pg_test_timing with additional TSC clock source debugging information. This improvement helps diagnose timing-related issues by showing TSC frequency data sources and warning when calibration differs significantly from actual frequencies.

Several targeted fixes were also committed this week. Masahiko Sawada corrected attribute mapping for COPY TO operations on partitioned tables, fixing incorrect mapping direction that affected tuple output. Etsuro Fujita resolved a postgres_fdw issue where column names containing quotes or backslashes caused syntax errors during stats import queries.

Michael Paquier addressed jsonpath .split_part() method handling in silent mode, switching to safe numeric conversion functions to prevent hard failures. The same developer also restored regression tests for ltree and intarray extensions with improved portability for low stack depth environments.

Additional maintenance included Jeff Davis reverting a problematic locale API change that interfered with development tooling, and Álvaro Herrera improving error message consistency in REPACK operations.

Next week, expect continued focus on stability improvements as the development cycle progresses toward the next release milestone.

That's your PostgreSQL weekly recap. Stay tuned for next week's developments.