What's New in v19.2.2

This version of CockroachDB is no longer supported. For more details, see the Release Support Policy.

December 16, 2019

This page lists additions and changes in v19.2.2 since v19.2.1.


A denial-of-service (DoS) vulnerability is present in CockroachDB v19.2.0 - v19.2.11 due to a bug in protobuf. This is resolved in CockroachDB v19.2.12 and later releases. When upgrading is not an option, users should audit their network configuration to verify that the CockroachDB HTTP port is not available to untrusted clients. We recommend blocking the HTTP port behind a firewall.

For more information, including other affected versions, see Technical Advisory 58932.


Cockroach Labs has discovered a bug relating to incremental backups, for CockroachDB v19.2.0 - v19.2.12. If a backup coincides with an in-progress index creation (backfill), RESTORE, or IMPORT, it is possible that a subsequent incremental backup will not include all of the indexed, restored or imported data.

Users are advised to upgrade to v20.1.15 or v20.2.8 or later, which includes resolutions.

For more information, including other affected versions, see Technical Advisory 63162.

Get future release notes emailed to you:


Docker image

$ docker pull cockroachdb/cockroach:v19.2.2

Security updates

  • CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like /_admin/v1/events, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints and restricting access to admin users only.


    Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token for an admin user.

  • Some Admin UI screens (e.g., Jobs) were previously incorrectly displayed using root user permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI screens.

  • Privileged HTTP endpoints and certain Admin UI screens require an admin user. However, root is disallowed from logging in via HTTP and it is not possible to create additional admin accounts without an Enterprise license. This is further discussed here and will be addressed in an upcoming patch revision.


    Users without an Enterprise license can create an additional admin user using a temporary evaluation license, until an alternative is available. A user created this way will persist beyond the license expiry.

  • Some Admin UI screens currently display an error or a blank page when viewed by a non-admin user (e.g., Table Details). This is a known limitation mistakenly introduced by the changes described above. This situation is discussed further here and will be addressed in an upcoming patch revision. The list of UI pages affected includes but is not limited to:

    • Job details
    • Database details
    • Table details
    • Zone configurations

    Users can access these Admin UI screens using an admin user until a fix is available.

The list of HTTP endpoints affected by the first change above includes:

HTTP Endpoint Description Sensitive information revealed Special (see below)
/_admin/v1/data_distribution Database-table-node mapping Database and table names
/_admin/v1/databases/{database}/tables/{table}/stats Table stats histograms Stored table data via PK values
/_admin/v1/drain API to shut down a node Can cause DoS on cluster
/_admin/v1/enqueue_range Force range rebalancing Can cause DoS on cluster
/_admin/v1/events Event log Usernames, stored object names, privilege mappings
/_admin/v1/nontablestats Non-table statistics Stored table data via PK values
/_admin/v1/rangelog Range log Stored table data via PK values
/_admin/v1/settings Cluster settings Organization name
/_status/allocator/node/{node_id} Rebalance simulator Can cause DoS on cluster yes
/_status/allocator/range/{range_id} Rebalance simulatoor Can cause DoS on cluster yes
/_status/certificates/{node_id} Node and user certificates Credentials
/_status/details/{node_id} Node details Internal IP addresses
/_status/enginestats/{node_id} Storage statistics Operational details
/_status/files/{node_id} Retrieve heap and goroutine dumps Operational details yes
/_status/gossip/{node_id} Gossip details Internal IP addresses yes
/_status/hotranges Ranges with active requests Stored table data via PK values
/_status/local_sessions SQL sessions Cleartext SQL queries yes
/_status/logfiles/{node_id} List of log files Operational details yes
/_status/logfiles/{node_id}/{file} Server logs + entries Many: names, application data, credentials, etc. yes
/_status/logs/{node_id} Log entries Many: names, application data, credentials, etc. yes
/_status/profile/{node_id} Profiling data Operational details
/_status/raft Raft details Stored table data via PK values
/_status/range/{range_id} Range details Stored table data via PK values
/_status/ranges/{node_id} Range details Stored table data via PK values
/_status/sessions SQL sessions Cleartext SQL queries yes
/_status/span Statistics per key span Whether certain table rows exist
/_status/stacks/{node_id} Stack traces Application data, stored table data
/_status/stores/{node_id} Store details Operational details

"Special" endpoints are subject to the cluster setting server.remote_debugging.mode. Unless the setting was customized, clients are only able to connect from the same machine as the node.

General changes

  • Improved the consistency checker's log output. #42149
  • Nodes that have been terminated as the result of a failed consistency check now refuse to restart, making it more likely that the operator notices that there is a persistent issue in a timely manner. #42149
  • Client usernames can now be defined to start with a digit; in particular, all-digit usernames are now permitted. #42989
  • To curb the spread of corrupted data, outliers are now terminated when the replicas within a range are corrupted. Previously, the leaseholder replica would terminate, regardless of which replicas disagreed with each other. #42149

Enterprise edition changes

  • RESTORE now supports the restoration of empty databases. #42733

SQL language changes

  • Added the ability to run avg() over intervals. #42679
  • Some columns (typinput, typoutput, typreceive, typsend, typmodin, typmodout, typanalyze) in pg_type were incorrectly typed as OID instead of REGPROC. This issue has been resolved. #42784
  • It is now valid for SELECT and HAVING to refer to ungrouped columns in the special case when the grouped columns contain the primary key of the table containing the ungrouped column. #42694
  • It is now supported to specify selection target aliases as GROUP BY columns. Note that the FROM columns take precedence over the aliases, which are only used if there is no column with that name in the current scope. #42694
  • CockroachDB will now report a more accurate error message, hint, and error code if an error is encountered while adding a new column. #42530

Admin UI changes

  • Certain web UI pages (like the list of databases or tables) now restrict their content to match the privileges of the logged-in user. #42726
  • The event log now presents all cluster settings changes, unredacted, when an admin user uses the page. #42726
  • Customization of the UI by users is now only properly saved if the user has write privilege to system.ui (i.e., is an admin user). Also, all authenticated users share the same customizations. This is a known limitation and should be lifted in a future version. #42726
  • Access to table statistics are temporarily blocked from access by non-admin users until further notice, for security reasons. #42726
  • Certain debug pages have been blocked from non-admin users for security reasons. #42726

Bug fixes

  • The TIMESTAMP data type is now fully supported by the vectorized engine. Previously, an "unsupported type" error was thrown. #42576
  • Previously, casting the same type into two or more different precisions/widths from a table in the same SELECT query would result in only the first precision specified. For example, SELECT a::decimal(10, 3), a::decimal(10, 1) FROM t would return both results as a::decimal(10, 3). This PR fixes that behavior. #42578
  • Fixed a bug that would produce a spurious failure with the error message "incompatible COALESCE expressions" when adding or validating MATCH FULL foreign key constraints involving composite keys with columns of differing types. #42651
  • It is now possible to transfer range leases to lagging replicas. #42761
  • Long running transactions which attempt to TRUNCATE can now be pushed and will commit in cases where they previously failed or retried forever. #42772
  • Fixed a case in which CockroachDB incorrectly determined that a query (or part of a query) that contains an IS NULL constraint on a unique index column returns at most one row, possibly ignoring a LIMIT 1 clause. #42791
  • ALTER INDEX IF EXISTS no longer fails when using an unqualified index name that does not match any existing index. Now it is a no-op. #42838
  • Fixed a bug with incorrect handling of Top K sort by the vectorized engine when K is greater than 1024. #42843
  • Prevent internal error in some cases when a NULL literal is passed to the OVERLAPS operator #42878
  • Fixed a bug that caused rare crashes when using built-in functions. #42674
  • Other callers to acquireNodeLease now do not get erroneously cancelled just because the context of the first caller was cancelled. #42893
  • Changefeeds now emit backfill row updates for a dropped column when the table descriptor drops that column. #42669
  • Tables that are being restored or imported are no longer considered valid targets in backups and changefeeds. #42735
  • Fixed a bug where selecting columns by forcing an INTERLEAVING index would return an error instead of returning the correct results. #42901
  • CockroachDB now prevents a number of panics from the SQL layer caused by an invalid range split. These would usually manifest with messages containing encoding errors like "found null on not null column". #42859
  • Fixed the row count estimate during query planning for some queries with multiple predicates in which the selectivity of one predicate was calculated using a histogram. #42962
  • Previously, when executing a built-in function via the vectorized engine that returns an output type unsupported by the vectorized engine, CockroachDB could return an error instead of falling back to the row-by-row execution engine. This is now fixed. #42990
  • Empty arrays are now correctly encoded and decoded over the binary protocol. #42974
  • Fixed some existing caching issues surrounding role memberships, where users could sometimes see out-of-date role membership information. #43004
  • Previously, attempting to parse 0000-01-01 00:00 when involving time did not work as pgdate does not understand 0000 as a year. This is now fixed. #42918
  • The allocator now considers stores with very close diversity scores equal (all other things being the same) and doesn't attempt to rebalance. #43077
  • The allocator now considers the new store being added when looking for a target in the case of a rebalance. #43077
  • CockroachDB did not previously handle date casts from TIMESTAMP/TIMESTAMPZ with time attached for times before the UNIX epoch correctly. For example, '1969-12-30 01:00:00'::timestamp would round to '1969-12-31' instead of '1969-12-30'. This is now fixed. #43022
  • CockroachDB is now less likely to hang in an inconvenient or inoperative state if it attempts to access an external HTTP server that is blocked or overloaded. Nodes failing to shut down with cockroach quit were a symptom of this bug. #42539


This release includes 38 merged PRs by 24 authors. We would like to thank the following contributors from the CockroachDB community:

  • Adam Pantel (first-time contributor, CockroachDB team member)
  • Oliver Tan (first-time contributor, CockroachDB team member)
  • georgebuckerfield (first-time contributor)
YesYes NoNo