Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Release Notes
Release 7.4.8
Release date: 2005-05-09
This release contains a variety of fixes from 7.4.7, including several
security-related issues.
__________________________________________________________________
Migration to version 7.4.8
A dump/restore is not required for those running 7.4.X. However, it is
one possible way of handling two significant security problems that
have been found in the initial contents of 7.4.X system catalogs. A
dump/initdb/reload sequence using 7.4.8's initdb will automatically
correct these problems.
The larger security problem is that the built-in character set encoding
conversion functions can be invoked from SQL commands by unprivileged
users, but the functions were not designed for such use and are not
secure against malicious choices of arguments. The fix involves
changing the declared parameter list of these functions so that they
can no longer be invoked from SQL commands. (This does not affect their
normal use by the encoding conversion machinery.)
The lesser problem is that the "contrib/tsearch2" module creates
several functions that are misdeclared to return internal when they do
not accept internal arguments. This breaks type safety for all
functions using internal arguments.
It is strongly recommended that all installations repair these errors,
either by initdb or by following the manual repair procedures given
below. The errors at least allow unprivileged database users to crash
their server process, and may allow unprivileged users to gain the
privileges of a database superuser.
While here, fix postgresql74-client package installation on 2.0
(broken -X), and avoid the need for gtar in tcl-postgresql74.
|
|
USE_GNU_TOOLS -> USE_TOOLS
awk -> gawk
m4 -> gm4
make -> gmake
sed -> gsed
yacc -> bison
|
|
|
|
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/pl/plpgsql/src/gram.y.diff?r1=1.64.4.1&r2=1.64.4.2
to fix CAN-2005-0247 for postgresql74
Bump PKGREVISION on postgresql74-lib
|
|
|
|
|
|
Changes
* Disallow "LOAD" to non-superusers
On platforms that will automatically execute initialization
functions of a shared library (this includes at least Windows and
ELF-based Unixen), "LOAD" can be used to make the server execute
arbitrary code. Thanks to NGS Software for reporting this.
* Check that creator of an aggregate function has the right to
execute the specified transition functions
This oversight made it possible to bypass denial of EXECUTE
permission on a function.
* Fix security and 64-bit issues in contrib/intagg
* Add needed STRICT marking to some contrib functions (Kris Jurka)
* Avoid buffer overrun when plpgsql cursor declaration has too many
parameters (Neil)
* Fix planning error for FULL and RIGHT outer joins
The result of the join was mistakenly supposed to be sorted the
same as the left input. This could not only deliver mis-sorted
output to the user, but in case of nested merge joins could give
outright wrong answers.
* Fix plperl for quote marks in tuple fields
* Fix display of negative intervals in SQL and GERMAN datestyles
* Make age(timestamptz) do calculation in local timezone not GMT
|
|
recently discovered LOAD vulnerability.
|
|
using libltdl. (This could provide even more portability in the future.)
|
|
|
|
applied globally now.
|
|
poll.h or provide the required #defines elsewhere.
|
|
PostgreSQL configure/build infrastructure tries very hard to separate
rpath flags from other LDFLAGS, which is completely unnecessary in
pkgsrc since the wrapper scripts are smart enough to deal with it on
their own. In this case, the GNU configure script was stripping out
the rpath to libperl.so when setting perl_embed_ldflags, so modify
the configure script to not do this.
Also re-enable this package since it's possible to load the plperl.so
language module again. I tested this with:
createdb foo
createlang -d foo plperl
|
|
|
|
only pass only the -L* LDFLAGS to the linker. This is correct for
pkgsrc since the wrapper scripts take care of correctly passing the
rpath info to the linker, so we don't need to filter those out. This
allows plpgsql.so to find libintl.so if we are using the pkgsrc version
of it. Bump the PKGREVISION of postgresql*-lib to 7.3.8nb1 and
7.4.6nb2.
Link the postgres binary with the necessary flags to allow it to
dlopen() modules that use pthreads[*]. This should allow postgres to
open a plperl.so module built on a system with perl+threads. Bump
the PKGREVISION of postgresql*-server to 7.3.8nb2 and 7.4.6nb2.
[*] Note that this behavior can be tweaked globally by setting
DLOPEN_REQUIRE_PTHREADS to "yes" or "no" in /etc/mk.conf.
|
|
as well as the bulk build for py-postgresql.
Note that the man page is still built and installed by -client. That's
a trickier problem.
|
|
|
|
* A vulnerability exists due to the insecure creation of temporary files,
which could possibly let a malicious user overwrite arbitrary files
* Repair possible failure to update hint bits on disk
Under rare circumstances this oversight could lead to "could not access
transaction status" failures, which qualifies it as a potential-data-loss bug.
|
|
|
|
to 7.4.5
pointed out by Greg Troxel in private e-mail
|
|
archs. This fixes support for dynamic loading on mips, and adresses
PR pkg/25473 by Byron Servies.
|
|
in PR pkg/23349 by Michal Pasternak.
|
|
Dump/restore is not necessary for 7.4.x users.
Changes in 7.4.5:
* Repair possible crash during concurrent btree index insertions
This patch fixes a rare case in which concurrent insertions into a
btree index could result in a server panic. No permanent damage
would result, but it's still worth a re-release. The bug does not
exist in pre-7.4 releases.
Changes in 7.4.4:
* Prevent possible loss of committed transactions during crash
Due to insufficient interlocking between transaction commit and
checkpointing, it was possible for transactions committed just
before the most recent checkpoint to be lost, in whole or in part,
following a database crash and restart. This is a serious bug that
has existed since PostgreSQL 7.1.
* Check HAVING restriction before evaluating result list of an
aggregate plan
* Avoid crash when session's current userID is deleted
* Fix hashed crosstab for zero-rows case (Joe)
* Force cache update after renaming a column in a foreign key
* Pretty-print UNION queries correctly
* Make psql handle \r\n newlines properly in COPY IN
* pg_dump handled ACLs with grant options incorrectly
* Fix thread support for OS X and Solaris
* Updated JDBC driver (build 215) with various fixes
* ECPG fixes
* Translation updates (various contributors)
|
|
'-*' instead of '-[0-9]*'. Otherwise postsgreql74-lib-whatever can be
incorrectly installed alongside postgresql73-lib-whatever because the latter
does not match 'postgresql73-[0-9]*'.
|
|
|
|
native libedit.
Bump PKGREVISION to 1 to propagate the change.
|
|
|
|
changes:
* Fix temporary memory leak when using non-hashed aggregates (Tom)
* ECPG fixes, including some for Informix compatibility (Michael)
* Fixes for compiling with thread-safety, particularly Solaris (Bruce)
* Fix error in COPY IN termination when using the old network
protocol (ljb)
* Several important fixes in pg_autovacuum (Matthew T. O'Connor)
* Fix problem with reading tar-format dumps on NetBSD and BSD/OS (Bruce)
* Several JDBC fixes
* Fix ALTER SEQUENCE RESTART where last_value equals the restart
value (Tom)
* Repair failure to recalculate nested sub-selects (Tom)
* Fix problems with non-constant expressions in LIMIT/OFFSET
* Support FULL JOIN with no join clause, such as X FULL JOIN Y ON
TRUE (Tom)
* Fix another zero-column table bug (Tom)
* Improve handling of non-qualified identifiers in GROUP BY clauses
in sub-selects (Tom)
* Do not generate "NATURAL CROSS JOIN" when decompiling rules (Tom)
* Add checks for invalid field length in binary COPY (Tom)
* Avoid locking conflict between ANALYZE and LISTEN/NOTIFY
* Numerous translation updates (various contributors)
|
|
package in bulk build.
|
|
_LOCALEDIR definition. fixes PR pkg/25923.
|
|
the configure script. Let's play safe and use '\s+'. Should fix PR 25923
by jmmv.
|
|
Makefiles) by using SUBST_SED instead of USE_PKGLOCALEDIR.
partially fixes install on Solaris.
|
|
|
|
|
|
|
|
with --enable-thread-safety.
Bump PKGREVISIONs accordingly (meta-pkg, -client, -lib).
|
|
to share/doc/html/postgresql.
|
|
meta-package
PostgreSQL is a robust, next-generation, Object-Relational DBMS (ORDBMS),
derived from the Berkeley Postgres database management system. While
PostgreSQL retains the powerful object-relational data model, rich data types
and easy extensibility of Postgres, it replaces the PostQuel query language
with an extended subset of SQL.
PostgreSQL is free and the complete source is available.
This is the meta-package for the PostgreSQL database system.
|