New security/bug fix microreleases: 8.1.18, 8.3.8

Karmic is already fixed, I uploaded the new version to sid and synced:

postgresql-8.3 | 8.3.8-1 | karmic/universe | source, amd64, i386

No regression reports until now, for about a week.

I prepared all updates and put them to:

  http://people.canonical.com/~pitti/tmp/postgresql-430544/

They pass the upstream regression tests (run during package build) and the integration tests (from postgresql-common) in all releases. I will re-run the integration tests with the actual .debs which will be published once they hit -proposed.

Now I assume that they need to be uploaded to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa and then copied to -proposed. For that I assume the security team has to re-sign the .changes with their key and upload?

Please advise how to continue. Thanks!

I'll sign and upload. Thanks Martin!

Martin,

These have now been uploaded to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa. Feel free to pocket copy them to -proposed when they finish building. If you need me to do it, let me know.

These have all been copied to proposed.

Accepted postgresql-8.1 into dapper-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted postgresql-8.3 into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted postgresql-8.3 into intrepid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Accepted postgresql-8.3 into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Just Upgraded on Jaunty,Intrepid, Hardy All upgrades went fine no errors
I'll setup a Dapper VM to test there too

I'll do more testing

I re-ran the postgresql-common integration test suite against the actual .debs from -proposed on all releases, all pass. Since they all built, they also passed the upstream regression tests on all architectures.

I consider this good to go.

Tested on Dapper, Upgrade went fine, no errors
basic tests no problems found

Leonel Nunez [2009-09-18 15:17 -0000]:
> Tested on Dapper, Upgrade went fine, no errors
> basic tests no problems found

Thanks, Leonel, for your testing feedback! Much appreciated.

This bug was fixed in the package postgresql-8.3 - 8.3.8-0ubuntu8.04

---------------
postgresql-8.3 (8.3.8-0ubuntu8.04) hardy-security; urgency=low

  * New upstream security/bug fix release: (LP: #430544)
    - Disallow "RESET ROLE" and "RESET SESSION AUTHORIZATION" inside
      security-definer functions. This covers a case that was missed in the
      previous patch that disallowed "SET ROLE" and "SET SESSION
      AUTHORIZATION" inside security-definer functions. [CVE-2007-6600]
    - Force WAL segment switch during pg_start_backup(). This avoids corner
      cases that could render a base backup unusable.
    - Make "LOAD" of an already-loaded loadable module into a no-op.
      Formerly, "LOAD" would attempt to unload and re-load the module,
      but this is unsafe and not all that useful.
    - Disallow empty passwords during LDAP authentication.
    - Fix handling of sub-SELECTs appearing in the arguments of an
      outer-level aggregate function.
    - Fix bugs associated with fetching a whole-row value from the output
      of a Sort or Materialize plan node.
    - Prevent synchronize_seqscans from changing the results of
      scrollable and WITH HOLD cursors.
    - Revert planner change that disabled partial-index and constraint
      exclusion optimizations when there were more than 100 clauses in an
      AND or OR list.
    - Fix hash calculation for data type interval. This corrects wrong results
      for hash joins on interval values. It also changes the contents of hash
      indexes on interval columns. If you have any such indexes, you must
      "REINDEX" them after updating.
    - Treat to_char(..., 'TH') as an uppercase ordinal suffix with
      'HH'/'HH12'. It was previously handled as 'th' (lowercase).
    - Fix overflow for INTERVAL 'x ms' when "x" is more than 2 million
      and integer datetimes are in use.
    - Fix calculation of distance between a point and a line segment.
      This led to incorrect results from a number of geometric operators.
    - Fix money data type to work in locales where currency amounts have
      no fractional digits, e.g. Japan.
    - Fix LIKE for case where pattern contains %_.
    - Properly round datetime input like 00:12:57.9999999999999999999999999999.
    - Fix memory leaks in XML operations.
    - Fix poor choice of page split point in GiST R-tree operator classes.
    - Ensure that a "fast shutdown" request will forcibly terminate open
      sessions, even if a "smart shutdown" was already in progress.
    - Avoid performance degradation in bulk inserts into GIN indexes when
      the input values are (nearly) in sorted order.
    - Correctly enforce NOT NULL domain constraints in some contexts in
      PL/pgSQL.
    - Fix portability issues in plperl initialization.
    - Fix pg_ctl to not go into an infinite loop if "postgresql.conf" is
      empty.
    - Improve pg_dump's efficiency when there are many large objects.
    - Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby.
    - Make pg_standby's maxretries option behave as documented.
    - Make "contrib/hstore" throw an error when a key or value is too
      long to fit in its data structure, rather tha...

This bug was fixed in the package postgresql-8.3 - 8.3.8-0ubuntu8.10

---------------
postgresql-8.3 (8.3.8-0ubuntu8.10) intrepid-security; urgency=low

  * New upstream security/bug fix release: (LP: #430544)
    - Disallow "RESET ROLE" and "RESET SESSION AUTHORIZATION" inside
      security-definer functions. This covers a case that was missed in the
      previous patch that disallowed "SET ROLE" and "SET SESSION
      AUTHORIZATION" inside security-definer functions. [CVE-2007-6600]
    - Force WAL segment switch during pg_start_backup(). This avoids corner
      cases that could render a base backup unusable.
    - Make "LOAD" of an already-loaded loadable module into a no-op.
      Formerly, "LOAD" would attempt to unload and re-load the module,
      but this is unsafe and not all that useful.
    - Disallow empty passwords during LDAP authentication.
    - Fix handling of sub-SELECTs appearing in the arguments of an
      outer-level aggregate function.
    - Fix bugs associated with fetching a whole-row value from the output
      of a Sort or Materialize plan node.
    - Prevent synchronize_seqscans from changing the results of
      scrollable and WITH HOLD cursors.
    - Revert planner change that disabled partial-index and constraint
      exclusion optimizations when there were more than 100 clauses in an
      AND or OR list.
    - Fix hash calculation for data type interval. This corrects wrong results
      for hash joins on interval values. It also changes the contents of hash
      indexes on interval columns. If you have any such indexes, you must
      "REINDEX" them after updating.
    - Treat to_char(..., 'TH') as an uppercase ordinal suffix with
      'HH'/'HH12'. It was previously handled as 'th' (lowercase).
    - Fix overflow for INTERVAL 'x ms' when "x" is more than 2 million
      and integer datetimes are in use.
    - Fix calculation of distance between a point and a line segment.
      This led to incorrect results from a number of geometric operators.
    - Fix money data type to work in locales where currency amounts have
      no fractional digits, e.g. Japan.
    - Fix LIKE for case where pattern contains %_.
    - Properly round datetime input like 00:12:57.9999999999999999999999999999.
    - Fix memory leaks in XML operations.
    - Fix poor choice of page split point in GiST R-tree operator classes.
    - Ensure that a "fast shutdown" request will forcibly terminate open
      sessions, even if a "smart shutdown" was already in progress.
    - Avoid performance degradation in bulk inserts into GIN indexes when
      the input values are (nearly) in sorted order.
    - Correctly enforce NOT NULL domain constraints in some contexts in
      PL/pgSQL.
    - Fix portability issues in plperl initialization.
    - Fix pg_ctl to not go into an infinite loop if "postgresql.conf" is
      empty.
    - Improve pg_dump's efficiency when there are many large objects.
    - Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby.
    - Make pg_standby's maxretries option behave as documented.
    - Make "contrib/hstore" throw an error when a key or value is too
      long to fit in its data structure, rather ...

This bug was fixed in the package postgresql-8.3 - 8.3.8-0ubuntu9.04

---------------
postgresql-8.3 (8.3.8-0ubuntu9.04) jaunty-security; urgency=low

  * New upstream security/bug fix release: (LP: #430544)
    - Disallow "RESET ROLE" and "RESET SESSION AUTHORIZATION" inside
      security-definer functions. This covers a case that was missed in the
      previous patch that disallowed "SET ROLE" and "SET SESSION
      AUTHORIZATION" inside security-definer functions. [CVE-2007-6600]
    - Force WAL segment switch during pg_start_backup(). This avoids corner
      cases that could render a base backup unusable.
    - Make "LOAD" of an already-loaded loadable module into a no-op.
      Formerly, "LOAD" would attempt to unload and re-load the module,
      but this is unsafe and not all that useful.
    - Disallow empty passwords during LDAP authentication.
    - Fix handling of sub-SELECTs appearing in the arguments of an
      outer-level aggregate function.
    - Fix bugs associated with fetching a whole-row value from the output
      of a Sort or Materialize plan node.
    - Prevent synchronize_seqscans from changing the results of
      scrollable and WITH HOLD cursors.
    - Revert planner change that disabled partial-index and constraint
      exclusion optimizations when there were more than 100 clauses in an
      AND or OR list.
    - Fix hash calculation for data type interval. This corrects wrong results
      for hash joins on interval values. It also changes the contents of hash
      indexes on interval columns. If you have any such indexes, you must
      "REINDEX" them after updating.
    - Treat to_char(..., 'TH') as an uppercase ordinal suffix with
      'HH'/'HH12'. It was previously handled as 'th' (lowercase).
    - Fix overflow for INTERVAL 'x ms' when "x" is more than 2 million
      and integer datetimes are in use.
    - Fix calculation of distance between a point and a line segment.
      This led to incorrect results from a number of geometric operators.
    - Fix money data type to work in locales where currency amounts have
      no fractional digits, e.g. Japan.
    - Fix LIKE for case where pattern contains %_.
    - Properly round datetime input like 00:12:57.9999999999999999999999999999.
    - Fix memory leaks in XML operations.
    - Fix poor choice of page split point in GiST R-tree operator classes.
    - Ensure that a "fast shutdown" request will forcibly terminate open
      sessions, even if a "smart shutdown" was already in progress.
    - Avoid performance degradation in bulk inserts into GIN indexes when
      the input values are (nearly) in sorted order.
    - Correctly enforce NOT NULL domain constraints in some contexts in
      PL/pgSQL.
    - Fix portability issues in plperl initialization.
    - Fix pg_ctl to not go into an infinite loop if "postgresql.conf" is
      empty.
    - Improve pg_dump's efficiency when there are many large objects.
    - Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby.
    - Make pg_standby's maxretries option behave as documented.
    - Make "contrib/hstore" throw an error when a key or value is too
      long to fit in its data structure, rather th...

http://www.ubuntu.com/usn/usn-834-1