| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Common to all versions:
* Change the server to reject invalidly-encoded multibyte characters
in all cases (Tatsuo, Tom) While PostgreSQL has been moving in this
direction for some time, the checks are now applied uniformly to
all encodings and all textual input, and are now always errors not
merely warnings. This change defends against SQL-injection attacks
of the type described in CVE-2006-2313.
* Reject unsafe uses of \' in string literals As a server-side
defense against SQL-injection attacks of the type described in
CVE-2006-2314, the server now only accepts '' and not \' as a
representation of ASCII single quote in SQL string literals. By
default, \' is rejected only when client_encoding is set to a
client-only encoding (SJIS, BIG5, GBK, GB18030, or UHC), which is
the scenario in which SQL injection is possible. A new
configuration parameter backslash_quote is available to adjust
this behavior when needed. Note that full security against
CVE-2006-2314 may require client-side changes; the purpose of
backslash_quote is in part to make it obvious that insecure clients
are insecure.
* Modify libpq's string-escaping routines to be aware of encoding
considerations This fixes libpq-using applications for the
security issues described in CVE-2006-2313 and CVE-2006-2314.
Applications that use multiple PostgreSQL connections concurrently
should migrate to PQescapeStringConn() and PQescapeByteaConn() to
ensure that escaping is done correctly for the settings in use in
each database connection. Applications that do string escaping
"by hand" should be modified to rely on library routines instead.
* Fix some incorrect encoding conversion functions win1251_to_iso,
alt_to_iso, euc_tw_to_big5, euc_tw_to_mic, mic_to_euc_tw were all
broken to varying extents.
* Clean up stray remaining uses of \' in strings (Bruce, Jan)
* Fix server to use custom DH SSL parameters correctly (Michael Fuhr)
* Fix various minor memory leaks
Additionally for 7.4.13 and later:
* Fix bug that sometimes caused OR'd index scans to miss rows they
should have returned
* Fix WAL replay for case where a btree index has been truncated
* Fix SIMILAR TO for patterns involving | (Tom)
* Fix for Bonjour on Intel Macs (Ashley Clark)
Additionally for 8.0.8 and 8.1.4:
* Fix SELECT INTO and CREATE TABLE AS to create tables in the
default tablespace, not the base directory (Kris Jurka)
* Fix problem with password prompting on some Win32 systems (Robert
Kinberg)
Additionally for 8.1.4:
* Fix weak key selection in pgcrypto (Marko Kreen)
Errors in fortuna PRNG reseeding logic could cause a predictable
session key to be selected by pgp_sym_encrypt() in some cases.
This only affects non-OpenSSL-using builds.
* Make autovacuum visible in pg_stat_activity (Alvaro)
* Disable full_page_writes (Tom)
In certain cases, having full_page_writes off would cause crash
recovery to fail. A proper fix will appear in 8.2; for now it's
just disabled.
* Various planner fixes, particularly for bitmap index scans and
MIN/MAX optimization (Tom)
* Fix incorrect optimization in merge join (Tom)
Outer joins could sometimes emit multiple copies of unmatched
rows.
* Fix crash from using and modifying a plpgsql function in the same
transaction
* Improve qsort performance (Dann Corbit)
Currently this code is only used on Solaris.
* Improve pg_dump's handling of default values for domains
* Fix pg_dumpall to handle identically-named users and groups
reasonably (only possible when dumping from a pre-8.1 server) (Tom)
The user and group will be merged into a single role with LOGIN
permission. Formerly the merged role wouldn't have LOGIN
permission, making it unusable as a user.
* Fix pg_restore -n to work as documented (Tom)
|
|
It might be needed to REINDEX indexes or textual coloumns for
the issues about plperl and locales in the 7.3.13 changes are
present. See the release documentation for further details.
Changes from 7.3.10 to 7.3.11:
- Fix error that allowed VACUUM to remove ctid chains too soon, and add
more checking in code that follows ctid links
- Fix CHAR() to properly pad spaces to the specified length when using a
multiple-byte character set (Yoshiyuki Asaba)
- Fix missing rows in queries like UPDATE a=... WHERE a... with GiST
index on column a
- Improve checking for partially-written WAL pages
- Improve robustness of signal handling when SSL is enabled
- Various memory leakage fixes
- Various portability improvements
- Fix PL/PgSQL to handle var := var correctly when the variable is of
pass-by-reference type
Changes from 7.3.11 to 7.3.12:
- Fix race condition in transaction log management
- /contrib/ltree fixes (Teodor)
- Fix longstanding planning error for outer joins
- Prevent core dump in pg_autovacuum when a table has been dropped
Changes from 7.3.12 to 7.3.13:
- Fix character string comparison for locales that consider different
character combinations as equal, such as Hungarian (Tom)
- Set locale environment variables during postmaster startup to ensure
that plperl won't change the locale later
- Fix longstanding bug in strpos() and regular expression handling in
certain rarely used Asian multi-byte character sets (Tatsuo)
- Fix bug in /contrib/pgcrypto gen_salt, which caused it not to use all
available salt space for MD5 and XDES algorithms (Marko Kreen, Solar
Designer)
- Fix /contrib/dblink to throw an error, rather than crashing, when the
number of columns specified is different from what's actually returned
by the query (Joe)
Changes from 7.3.13 to 7.3.14:
- Fix potential crash in SET SESSION AUTHORIZATION (CVE-2006-0553)
- Fix bug with row visibility logic in self-inserted rows (Tom)
- Fix race condition that could lead to "file already exists" errors
during pg_clog file creation (Tom)
- Fix to allow restoring dumps that have cross-schema references to
custom operators (Tom)
- Portability fix for testing presence of finite and isinf during
configure (Tom)
|
|
|
|
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
|
|
Posted on 2005-05-12:
In order to address several security issues identified over the past two
weeks, as well as one "low probability" race condition, we are releasing new
version of PostgreSQL as far back as the 7.2.x branch.
Please note that the security issues were those already reported by Tom Lane,
as well as a manual fix for them. These releases are mainly to ensure that
those installing and/or upgrading existing installations have those fixes
automatically.
For details on the fixes, please see the HISTORY file included in the Release,
but a summary consists of:
* Change encoding function signature to prevent misuse
* Change "contrib/tsearch2" to avoid unsafe use of INTERNAL function results
* Repair race condition between relation extension and VACUUM This could
theoretically have caused loss of a page's worth of freshly-inserted data,
although the scenario seems of very low probability. There are no known
cases of it having caused more than an Assert failure.
|
|
|
|
|
|
|
|
* A vulnerability exists due to the insecure creation of temporary files,
which could possibly let a malicious user overwrite arbitrary files
* Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access
transaction status" failures, which qualifies it as a potential-data-loss bug.
|
|
Bump PKGREVISION.
|
|
PostgreSQL is a robust, next-generation, Object-Relational DBMS (ORDBMS),
derived from the Berkeley Postgres database management system. While
PostgreSQL retains the powerful object-relational data model, rich data types
and easy extensibility of Postgres, it replaces the PostQuel query language
with an extended subset of SQL.
PostgreSQL is free and the complete source is available.
This package contains the database documentation.
|
