lp:ubuntu/dapper-security/postgresql-8.1
- Get this branch:
- bzr branch lp:ubuntu/dapper-security/postgresql-8.1
Branch merges
Branch information
- Owner:
- Ubuntu branches
- Status:
- Mature
Recent revisions
- 20. By Martin Pitt
-
* New upstream bug fix/security release: (LP: #496923)
- Protect against indirect security threats caused by index functions
changing session-local state. This change prevents allegedly-immutable
index functions from possibly subverting a superuser's session
(CVE-2009-4136) .
- Reject SSL certificates containing an embedded null byte in the
common name (CN) field. This prevents unintended matching of a
certificate to a server or client name during SSL validation
(CVE-2009-4034) .
- Fix possible crash during backend-startup- time cache initialization.
- Prevent signals from interrupting VACUUM at unsafe times.
- Fix possible crash due to integer overflow in hash table size
calculation.
- Fix very rare crash in inet/cidr comparisons.
- Ensure that shared tuple-level locks held by prepared transactions
are not ignored.
- Fix premature drop of temporary files used for a cursor that is
accessed within a subtransaction.
- Fix PAM password processing to be more robust. The previous code is
known to fail with the combination of the Linux pam_krb5 PAM module with
Microsoft Active Directory as the domain controller. It might have
problems elsewhere too, since it was making unjustified assumptions about
what arguments the PAM stack would pass to it.
- Fix processing of ownership dependencies during CREATE OR REPLACE
FUNCTION.
- Ensure that Perl arrays are properly converted to PostgreSQL arrays
when returned by a set-returning PL/Perl function.
This worked correctly already for non-set-returning functions.
- Fix rare crash in exception processing in PL/Python.
- Make the postmaster ignore any application_name parameter in
connection request packets, to improve compatibility with future
libpq versions. - 19. By Martin Pitt
-
* New upstream bug fix/security release: (LP: #430544)
- Disallow "RESET ROLE" and "RESET SESSION AUTHORIZATION" inside
security-definer functions.
This covers a case that was missed in the previous patch that
disallowed "SET ROLE" and "SET SESSION AUTHORIZATION" inside
security-definer functions. (See CVE-2007-6600)
- Fix handling of sub-SELECTs appearing in the arguments of an
outer-level aggregate function.
- Fix hash calculation for data type interval.
This corrects wrong results for hash joins on interval values. It
also changes the contents of hash indexes on interval columns. If
you have any such indexes, you must "REINDEX" them after updating.
- Treat to_char(..., 'TH') as an uppercase ordinal suffix with
'HH'/'HH12'
It was previously handled as 'th' (lowercase).
- Fix overflow for INTERVAL 'x ms' when "x" is more than 2 million
and integer datetimes are in use.
- Fix calculation of distance between a point and a line segment.
This led to incorrect results from a number of geometric operators.
- Fix money data type to work in locales where currency amounts have
no fractional digits, e.g. Japan.
- Properly round datetime input like
00:12:57.999999999 999999999999999 9999
- Fix poor choice of page split point in GiST R-tree operator classes
- Fix portability issues in plperl initialization
- Fix pg_ctl to not go into an infinite loop if "postgresql.conf" is
empty
- Fix "contrib/xml2"'s xslt_process() to properly handle the maximum
number of parameters (twenty)
- Improve robustness of libpq's code to recover from errors during
"COPY FROM STDIN"
- Avoid including conflicting readline and editline header files when
both libraries are installed - 17. By Martin Pitt
-
* New upstream security/bugfix release:
- Prevent functions in indexes from executing with the privileges of
the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
within a SECURITY DEFINER context. [CVE-2007-6600]
- Suitably crafted regular-expression patterns could cause crashes,
infinite or near-infinite looping, and/or massive memory
consumption, all of which pose denial-of-service hazards for
applications that accept regex search patterns from untrustworthy
sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
- Require non-superusers who use "/contrib/dblink" to use only
password authentication, as a security measure.
The fix that appeared for this in 8.2.5 was incomplete, as it
plugged the hole for only some "dblink" functions. [CVE-2007-6601,
CVE-2007-3278]
- Fix planner failure in some cases of WHERE false AND var IN (SELECT
...).
- Preserve the tablespace and storage parameters of indexes that are
rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
- Make archive recovery always start a new WAL timeline, rather than
only when a recovery stop time was used. This avoids a corner-case risk
of trying to overwrite an existing archived copy of the last WAL
segment, and seems simpler and cleaner than the original definition.
- Make "VACUUM" not use all of maintenance_work_mem when the table is
too small for it to be useful.
- Fix potential crash in translate() when using a multibyte database
encoding.
- Fix overflow in extract(epoch from interval) for intervals
exceeding 68 years.
- Fix PL/Perl to not fail when a UTF-8 regular expression is used in
a trusted function.
- Fix PL/Python to not crash on long exception messages.
- Fix pg_dump to correctly handle inheritance child tables that have
default expressions different from their parent's.
- Fix libpq crash when PGPASSFILE refers to a file that is not a
plain file.
- ecpg parser fixes.
- Make "contrib/tablefunc" 's crosstab() handle NULL rowid as a
category in its own right, rather than crashing.
- Fix tsvector and tsquery output routines to escape backslashes
correctly.
- Fix crash of to_tsvector() on huge input strings.
* Use the timezone database from the system tzdata instead of shipping our
own.
- debian/patches/ 04-timezone- symlinks. patch: Drop previous
hardlink-to-symlink patch to zic, since that is irrelevant now. Replace
the patch with a Makefile change that just symlinks /usr/share/zoneinfo
to where postgresql previously installed its own tzdata copy.
- debian/control: Add locales dependency (which contains tzdata in
dapper).
- debian/postgresql- 8.1.install: Install the 'timezone' symlink, not the
files in the dereferenced directory.
- debian/postgresql- 8.1.postinst: Replace the timezone directory with the
symlink on upgrades, since dpkg does not do that automatically. Without
this, we'd end up with an empty timezone directory. - 16. By Martin Pitt
-
* New upstream security/bugfix release:
- Support explicit placement of the temporary-table schema within
search_path, and disable searching it for functions and operators.
This is needed to allow a security-definer function to set a truly
secure value of search_path. Without it, an unprivileged SQL user
can use temporary objects to execute code with the privileges of
the security-definer function (CVE-2007-2138). See "CREATE
FUNCTION" for more information.
- "/contrib/tsearch2" crash fixes.
- Require "COMMIT PREPARED" to be executed in the same database as
the transaction was prepared in.
- Fix potential-data-corruption bug in how "VACUUM FULL" handles
"UPDATE" chains.
- Planner fixes, including improving outer join and bitmap scan
selection logic.
- Fix PANIC during enlargement of a hash index (bug introduced in
8.1.6).
- Fix POSIX-style timezone specs to follow new USA DST rules. - 14. By Martin Pitt
-
Add debian/
patches/ 00upstream- zzz-sql- fun-typecheck- regression. patch: Fix
overzealous type checks in some cases. Closes: LP#83505 - 13. By Martin Pitt
-
* SECURITY UPDATE: Read out arbitrary memory locations from the server,
local DoS.
* Add debian/patches/ 00upstream- sql-fun- typecheck. patch:
- Repair insufficiently careful type checking for SQL-language functions.
Not only can one trivially crash the backend, but with appropriate
misuse of pass-by-reference datatypes it is possible to read out
arbitrary locations in the server process's memory, which could allow
retrieving database content the user should not be able to see.
- Discovered by Jeff Trout.
- Patch backported from 8.1.7 from CVS:
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ functions. c.diff? r1=1.98. 2.2;r2= 1.98.2. 3
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ optimizer/ util/clauses. c.diff? r1=1.201. 2.1;r2= 1.201.2. 2
- CVE-2007-0555
* Add debian/patches/ 00upstream- table-plan- consistency. patch:
- Check that a table is still compatible with a previously made query
plan. Use of ALTER COLUMN TYPE creates a hazard for cached query plans:
they could contain vars that claim a column has a different type than it
now has. Not only can one trivially crash the backend, but with
appropriate misuse of pass-by-reference datatypes it is possible to read
out arbitrary locations in the server process's memory, which could allow
retrieving database content the user should not be able to see.
- Discovered by Jeff Trout.
- Patch backported from 8.1.7 from CVS:
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ commands/ tablecmds. c.diff? r1=1.174. 2.3;r2= 1.174.2. 4
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ execQual. c.diff? r1=1.183. 2.4;r2= 1.183.2. 5
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ execScan. c.diff? r1=1.37. 2.1;r2= 1.37.2. 2
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ execUtils. c.diff? r1=1.126. 2.3;r2= 1.126.2. 4
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeAgg. c.diff? r1=1.135. 2.1;r2= 1.135.2. 2
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeGroup. c.diff? r1=1.62; r2=1.62. 2.1
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeHashjoin. c.diff? r1=1.75. 2.3;r2= 1.75.2. 4
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeMergejoin. c.diff? r1=1.75. 2.2;r2= 1.75.2. 3
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeNestloop. c.diff? r1=1.39. 2.1;r2= 1.39.2. 2
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeResult. c.diff? r1=1.32. 2.1;r2= 1.32.2. 2
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ executor/ nodeSubplan. c.diff? r1=1.70. 2.1;r2= 1.70.2. 2
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/include/ executor/ executor. h.diff? r1=1.120. 2.2;r2= 1.120.2. 3
- CVE-2007-0556
* Add debian/patches/ 00upstream- max-utf8- wchar-len. patch:
- Update various string functions to support the maximum UTF-8 sequence
length for 4-byte character set to prevent buffer overflows.
- Patch backported from 8.1.7 from CVS:
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ utils/mb/ wchar.c. diff?r1= 1.47.2. 4;r2=1. 47.2.5 - 12. By Martin Pitt
-
* SECURITY UPDATE: Local DoS.
* Add debian/patches/ 00upstream- disable- update- aggregates. patch:
- Disallow aggregate functions in UPDATE commands (unless within a
sub-SELECT). It is disallowed by the SQL spec and causes crashes.
- Patch backported from 8.1.5:
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ parser/ analyze. c.diff? r1=1.326. 2.1&r2= 1.326.2. 2
* Add debian/patches/ 00upstream- duration- logging- crash.patch:
- Fix crash in duration logging for a V3-protocol Execute message
when what's being executed is a COMMIT or ROLLBACK.
- Patch backported from 8.1.5:
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ tcop/postgres. c.diff? r1=1.468. 2.5&r2= 1.468.2. 6
* Add debian/patches/ 00upstream- unknown- array-coerce. patch:
- Repair incorrect check for coercion of unknown literal to ANYARRAY,
which could cause a backend crash.
- Patch backported from 8.1.5:
http://developer. postgresql. org/cvsweb. cgi/pgsql/ src/backend/ parser/ parse_coerce. c.diff? r1=2.132. 2.3&r2= 2.132.2. 4 - 11. By Martin Pitt
-
* SECURITY UPDATE: Remote arbitrary SQL injection.
* This is based on Debian's 8.1.4-1 plus the shlibs fix from bzr head.
* New upstream security and bug fix release:
- The server now rejects invalidly-encoded multibyte characters in all
cases to defend against SQL-injection attacks. [CVE-2006-2313]
- Reject unsafe uses of \' in string literals (for client encodings that
allow SQL injection with this, like SJIS, BIG5, GBK, GB18030, or UHC). A
new configuration parameter backslash_quote is available to adjust this
behavior when needed. [CVE-2006-2314]
- Modify libpq's string-escaping routines to be aware of encoding
considerations and standard_conforming_ strings
This fixes libpq-using applications for the security issues
described in CVE-2006-2313 and CVE-2006-2314, and also
future-proofs them against the planned changeover to SQL-standard
string literal syntax. Applications that use multiple PostgreSQL
connections concurrently should migrate to PQescapeStringConn() and
PQescapeByteaConn( ) to ensure that escaping is done correctly for
the settings in use in each database connection. Applications that
do string escaping "by hand" should be modified to rely on library
routines instead.
- Various bug fixes, see upstream changelog for details.
* Remove debian/patches/ 12-krb5- multiusers. patch: Fixed upstream.
* debian/postgresql- 8.1.init: Add a comment to point out that environment
variables need to be set in the 'environment' file, not in the init
script.
* debian/postgresql- 8.1.init, debian/ postgresql- 8.1.postinst: Do not fail if
init.d-functions/ maintscripts- functions are not present, which happens if
postgresql-{8.1,common} are removed, but not purged. Closes: #362488
* Bump Standards-Version to 3.7.2.
* Add debian/libpq4. shlibs and bump it to >= 8.1.4, to respect the
introduction of PQescapeStringConn() and PQescapeByteaCo nn().
* debian/postgresql- 8.1.postrm, clean_dir(): Do not use rmdir's
--ignore-fail-on- nonempty, since that still falls apart when the
directory is a mountpoint. Just ignore errors.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)