Branches for Edgy

Author: Martin Pitt
Revision Date: 2006-09-27 22:53:23 UTC

* debian/control: Update libpq4 package description, point out that it is
  only compatible for servers up to 8.1 (8.2 got a new libpq soname).
* Add debian/patches/08-unnecessary-libs.patch: Remove all unnecessary -lfoo
  library references from Makefiles to clean up unnecessary library
  dependencies. Thanks to Christian Aichinger for his neat checklib system!

Author: Martin Pitt
Revision Date: 2008-01-05 19:39:17 UTC

* New upstream security/bugfix release:
  - Prevent functions in indexes from executing with the privileges of
    the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
    within a SECURITY DEFINER context. [CVE-2007-6600]
  - Suitably crafted regular-expression patterns could cause crashes,
    infinite or near-infinite looping, and/or massive memory
    consumption, all of which pose denial-of-service hazards for
    applications that accept regex search patterns from untrustworthy
    sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
  - Require non-superusers who use "/contrib/dblink" to use only
    password authentication, as a security measure.
    The fix that appeared for this in 8.2.5 was incomplete, as it
    plugged the hole for only some "dblink" functions. [CVE-2007-6601,
    CVE-2007-3278]
  - Fix planner failure in some cases of WHERE false AND var IN (SELECT
    ...).
  - Preserve the tablespace and storage parameters of indexes that are
    rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
  - Make archive recovery always start a new WAL timeline, rather than
    only when a recovery stop time was used. This avoids a corner-case risk
    of trying to overwrite an existing archived copy of the last WAL
    segment, and seems simpler and cleaner than the original definition.
  - Make "VACUUM" not use all of maintenance_work_mem when the table is
    too small for it to be useful.
  - Fix potential crash in translate() when using a multibyte database
    encoding.
  - Fix overflow in extract(epoch from interval) for intervals
    exceeding 68 years.
  - Fix PL/Perl to not fail when a UTF-8 regular expression is used in
    a trusted function.
  - Fix PL/Python to not crash on long exception messages.
  - Fix pg_dump to correctly handle inheritance child tables that have
    default expressions different from their parent's.
  - Fix libpq crash when PGPASSFILE refers to a file that is not a
    plain file.
  - ecpg parser fixes.
  - Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a
    category in its own right, rather than crashing.
  - Fix tsvector and tsquery output routines to escape backslashes
    correctly.
  - Fix crash of to_tsvector() on huge input strings.
* Use the timezone database from the system tzdata instead of shipping our
  own.
  - debian/patches/04-timezone-symlinks.patch: Drop previous
    hardlink-to-symlink patch to zic, since that is irrelevant now. Replace
    the patch with a Makefile change that just symlinks /usr/share/zoneinfo
    to where postgresql previously installed its own tzdata copy.
  - debian/control: Add tzdata dependency.
  - debian/postgresql-8.1.install: Install the 'timezone' symlink, not the
    files in the dereferenced directory.
  - debian/postgresql-8.1.postinst: Replace the timezone directory with the
    symlink on upgrades, since dpkg does not do that automatically. Without
    this, we'd end up with an empty timezone directory.

Author: Martin Pitt
Revision Date: 2008-01-05 19:39:17 UTC

* New upstream security/bugfix release:
  - Prevent functions in indexes from executing with the privileges of
    the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
    within a SECURITY DEFINER context. [CVE-2007-6600]
  - Suitably crafted regular-expression patterns could cause crashes,
    infinite or near-infinite looping, and/or massive memory
    consumption, all of which pose denial-of-service hazards for
    applications that accept regex search patterns from untrustworthy
    sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
  - Require non-superusers who use "/contrib/dblink" to use only
    password authentication, as a security measure.
    The fix that appeared for this in 8.2.5 was incomplete, as it
    plugged the hole for only some "dblink" functions. [CVE-2007-6601,
    CVE-2007-3278]
  - Fix planner failure in some cases of WHERE false AND var IN (SELECT
    ...).
  - Preserve the tablespace and storage parameters of indexes that are
    rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
  - Make archive recovery always start a new WAL timeline, rather than
    only when a recovery stop time was used. This avoids a corner-case risk
    of trying to overwrite an existing archived copy of the last WAL
    segment, and seems simpler and cleaner than the original definition.
  - Make "VACUUM" not use all of maintenance_work_mem when the table is
    too small for it to be useful.
  - Fix potential crash in translate() when using a multibyte database
    encoding.
  - Fix overflow in extract(epoch from interval) for intervals
    exceeding 68 years.
  - Fix PL/Perl to not fail when a UTF-8 regular expression is used in
    a trusted function.
  - Fix PL/Python to not crash on long exception messages.
  - Fix pg_dump to correctly handle inheritance child tables that have
    default expressions different from their parent's.
  - Fix libpq crash when PGPASSFILE refers to a file that is not a
    plain file.
  - ecpg parser fixes.
  - Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a
    category in its own right, rather than crashing.
  - Fix tsvector and tsquery output routines to escape backslashes
    correctly.
  - Fix crash of to_tsvector() on huge input strings.
* Use the timezone database from the system tzdata instead of shipping our
  own.
  - debian/patches/04-timezone-symlinks.patch: Drop previous
    hardlink-to-symlink patch to zic, since that is irrelevant now. Replace
    the patch with a Makefile change that just symlinks /usr/share/zoneinfo
    to where postgresql previously installed its own tzdata copy.
  - debian/control: Add tzdata dependency.
  - debian/postgresql-8.1.install: Install the 'timezone' symlink, not the
    files in the dereferenced directory.
  - debian/postgresql-8.1.postinst: Replace the timezone directory with the
    symlink on upgrades, since dpkg does not do that automatically. Without
    this, we'd end up with an empty timezone directory.

Author: Martin Pitt
Revision Date: 2008-01-05 19:39:17 UTC

* New upstream security/bugfix release:
  - Prevent functions in indexes from executing with the privileges of
    the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
    within a SECURITY DEFINER context. [CVE-2007-6600]
  - Suitably crafted regular-expression patterns could cause crashes,
    infinite or near-infinite looping, and/or massive memory
    consumption, all of which pose denial-of-service hazards for
    applications that accept regex search patterns from untrustworthy
    sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
  - Require non-superusers who use "/contrib/dblink" to use only
    password authentication, as a security measure.
    The fix that appeared for this in 8.2.5 was incomplete, as it
    plugged the hole for only some "dblink" functions. [CVE-2007-6601,
    CVE-2007-3278]
  - Fix planner failure in some cases of WHERE false AND var IN (SELECT
    ...).
  - Preserve the tablespace and storage parameters of indexes that are
    rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
  - Make archive recovery always start a new WAL timeline, rather than
    only when a recovery stop time was used. This avoids a corner-case risk
    of trying to overwrite an existing archived copy of the last WAL
    segment, and seems simpler and cleaner than the original definition.
  - Make "VACUUM" not use all of maintenance_work_mem when the table is
    too small for it to be useful.
  - Fix potential crash in translate() when using a multibyte database
    encoding.
  - Fix overflow in extract(epoch from interval) for intervals
    exceeding 68 years.
  - Fix PL/Perl to not fail when a UTF-8 regular expression is used in
    a trusted function.
  - Fix PL/Python to not crash on long exception messages.
  - Fix pg_dump to correctly handle inheritance child tables that have
    default expressions different from their parent's.
  - Fix libpq crash when PGPASSFILE refers to a file that is not a
    plain file.
  - ecpg parser fixes.
  - Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a
    category in its own right, rather than crashing.
  - Fix tsvector and tsquery output routines to escape backslashes
    correctly.
  - Fix crash of to_tsvector() on huge input strings.
* Use the timezone database from the system tzdata instead of shipping our
  own.
  - debian/patches/04-timezone-symlinks.patch: Drop previous
    hardlink-to-symlink patch to zic, since that is irrelevant now. Replace
    the patch with a Makefile change that just symlinks /usr/share/zoneinfo
    to where postgresql previously installed its own tzdata copy.
  - debian/control: Add tzdata dependency.
  - debian/postgresql-8.1.install: Install the 'timezone' symlink, not the
    files in the dereferenced directory.
  - debian/postgresql-8.1.postinst: Replace the timezone directory with the
    symlink on upgrades, since dpkg does not do that automatically. Without
    this, we'd end up with an empty timezone directory.