ubuntu/+source/postgresql-9.1:ubuntu/precise-devel

Last commit made on 2016-10-27
Get this branch:
git clone -b ubuntu/precise-devel https://git.launchpad.net/ubuntu/+source/postgresql-9.1
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-devel
Repository:
lp:ubuntu/+source/postgresql-9.1

Recent commits

6c30511... by Martin Pitt on 2016-10-27

Import patches-unapplied version 9.1.24-0ubuntu0.12.04 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: b336b9e106caf89b33d3a04268d9884c333e4939

New changelog entries:
  * New upstream bug fix release (LP: #1637236)
   - Details: https://www.postgresql.org/docs/9.1/static/release-9-1-24.html

b336b9e... by Martin Pitt on 2016-08-17

Import patches-unapplied version 9.1.23-0ubuntu0.12.04 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 88182be1f5ab3cf7957911858c6280ed1eda475a

New changelog entries:
  * New upstream security/bug fix release (LP: #1614113)
    - Fix possible mis-evaluation of nested CASE-WHEN expressions
      A CASE expression appearing within the test value subexpression of
      another CASE could become confused about whether its own test value was
      null or not. Also, inlining of a SQL function implementing the equality
      operator used by a CASE expression could result in passing the wrong
      test value to functions called within a CASE expression in the SQL
      function's body. If the test values were of different data types, a
      crash might result; moreover such situations could be abused to allow
      disclosure of portions of server memory. (CVE-2016-5423)
    - Fix client programs' handling of special characters in database and role
      names
      Numerous places in vacuumdb and other client programs could become
      confused by database and role names containing double quotes or
      backslashes. Tighten up quoting rules to make that safe. Also, ensure
      that when a conninfo string is used as a database name parameter to
      these programs, it is correctly treated as such throughout.
      Fix handling of paired double quotes in psql's \connect and \password
      commands to match the documentation.
      Introduce a new -reuse-previous option in psql's \connect command to
      allow explicit control of whether to re-use connection parameters from a
      previous connection. (Without this, the choice is based on whether the
      database name looks like a conninfo string, as before.) This allows
      secure handling of database names containing special characters in
      pg_dumpall scripts.
      pg_dumpall now refuses to deal with database and role names containing
      carriage returns or newlines, as it seems impractical to quote those
      characters safely on Windows. In future we may reject such names on the
      server side, but that step has not been taken yet.
      These are considered security fixes because crafted object names
      containing special characters could have been used to execute commands
      with superuser privileges the next time a superuser executes pg_dumpall
      or other routine maintenance operations. (CVE-2016-5424)
   - Details: https://www.postgresql.org/docs/9.1/static/release-9-1-23.html

88182be... by Martin Pitt on 2016-05-12

Import patches-unapplied version 9.1.22-0ubuntu0.12.04 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: c6f104934bc35f39e58a9e2d39f4f43da14b5a65

New changelog entries:
  * New upstream bug fix release. (LP: #1581016)
    - Details: http://www.postgresql.org/docs/9.1/static/release-9-1-22.html

c6f1049... by Martin Pitt on 2016-03-31

Import patches-unapplied version 9.1.21-0ubuntu0.12.04 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: 038e64477e093f3df98d2ee49d70769259409af6

New changelog entries:
  * New upstream security/bug fix release: (LP: #1564268)
    - See http://www.postgresql.org/about/news/1656/ for details.

038e644... by Martin Pitt on 2016-02-11

Import patches-unapplied version 9.1.20-0ubuntu0.12.04 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: c88c7bc89b7706d3dfc4f7391583d94acd24de43

New changelog entries:
  * New upstream security/bug fix release: (LP: #1544576)
    - Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    - Prevent certain PL/Java parameters from being set by non-superusers.
      This change mitigates a PL/Java security bug (CVE-2016-0766), which was
      fixed in PL/Java by marking these parameters as superuser-only. To fix
      the security hazard for sites that update PostgreSQL more frequently
      than PL/Java, make the core code aware of them also.
    - See release notes for details about other fixes.

c88c7bc... by Martin Pitt on 2015-10-08

Import patches-unapplied version 9.1.19-0ubuntu0.12.04 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: f700e12d3ff488b4c21ff81f3a9dba0da79ad19c

New changelog entries:
  * New upstream security/bug fix release (LP: #1504132)
    - Fix contrib/pgcrypto to detect and report too-short crypt() salts
      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory. We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely. (CVE-2015-5288)
    - See release notes for details about other fixes.

f700e12... by Martin Pitt on 2015-06-12

Import patches-unapplied version 9.1.18-0ubuntu0.12.04 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: 497b15fc1f196684bbe7c1f119ce91a44dd5b1ea

New changelog entries:
  * New upstream bug fix release (LP: #1464669)
    - Fix possible failure to recover from an inconsistent database state
    - Fix rare failure to invalidate relation cache init file
    - See http://www.postgresql.org/about/news/1592/ for details.

497b15f... by Martin Pitt on 2015-06-03

Import patches-unapplied version 9.1.17-0ubuntu0.12.04 to ubuntu/precise-proposed

Imported using git-ubuntu import.

Changelog parent: eb96b8dfeef6cd18defdab292deb3b481239b3bb

New changelog entries:
  * New upstream bug fix release (LP: #1461425)
    - Avoid failures while fsync'ing data directory during crash restart.
      In the previous minor releases we added a patch to fsync everything in
      the data directory after a crash. Unfortunately its response to any
      error condition was to fail, thereby preventing the server from starting
      up, even when the problem was quite harmless. An example is that an
      unwritable file in the data directory would prevent restart on some
      platforms; but it is common to make SSL certificate files unwritable by
      the server. Revise this behavior so that permissions failures are
      ignored altogether, and other types of failures are logged but do not
      prevent continuing.
   - See release notes for details about other fixes.

eb96b8d... by Martin Pitt on 2015-05-20

Import patches-unapplied version 9.1.16-0ubuntu0.12.04 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: ab58f132d5bc46513a5fc1bf5e8945c278f62095

New changelog entries:
  * New upstream security/bug fix release (LP: #1457093)
    - Avoid possible crash when client disconnects just before the
      authentication timeout expires.
      If the timeout interrupt fired partway through the session shutdown
      sequence, SSL-related state would be freed twice, typically causing a
      crash and hence denial of service to other sessions. Experimentation
      shows that an unauthenticated remote attacker could trigger the bug
      somewhat consistently, hence treat as security issue. (CVE-2015-3165)
    - Improve detection of system-call failures
      Our replacement implementation of snprintf() failed to check for errors
      reported by the underlying system library calls; the main case that
      might be missed is out-of-memory situations. In the worst case this
      might lead to information exposure, due to our code assuming that a
      buffer had been overwritten when it hadn't been. Also, there were a few
      places in which security-relevant calls of other system library
      functions did not check for failure.
      It remains possible that some calls of the *printf() family of functions
      are vulnerable to information disclosure if an out-of-memory error
      occurs at just the wrong time. We judge the risk to not be large, but
      will continue analysis in this area. (CVE-2015-3166)
    - In contrib/pgcrypto, uniformly report decryption failures as Wrong key
      or corrupt data
      Previously, some cases of decryption with an incorrect key could report
      other error message texts. It has been shown that such variance in
      error reports can aid attackers in recovering keys from other systems.
      While it's unknown whether pgcrypto's specific behaviors are likewise
      exploitable, it seems better to avoid the risk by using a
      one-size-fits-all message. (CVE-2015-3167)
    - Protect against wraparound of multixact member IDs
      Under certain usage patterns, the existing defenses against this might
      be insufficient, allowing pg_multixact/members files to be removed too
      early, resulting in data loss.
      The fix for this includes modifying the server to fail transactions that
      would result in overwriting old multixact member ID data, and improving
      autovacuum to ensure it will act proactively to prevent multixact member
      ID wraparound, as it does for transaction ID wraparound.
   - See release notes for details about other fixes.
  * Backport the autopkgtest, as running the postgresql-common integration
    test suite is a lot simpler that way. Add manual creation of required
    locales, as precise's postgresql-common test suite does not yet do that by
    itself.

ab58f13... by Martin Pitt on 2015-02-06

Import patches-unapplied version 9.1.15-0ubuntu0.12.04 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: a66c5f5609ba48fcdee2e084cc7db8fca50fe7dd

New changelog entries:
  * New upstream security/bug fix release (LP: #1418928)
    - Fix buffer overruns in to_char() [CVE-2015-0241]
    - Fix buffer overruns in contrib/pgcrypto [CVE-2015-0243]
    - Fix possible loss of frontend/backend protocol synchronization after an
      error [CVE-2015-0244]
    - Fix information leak via constraint-violation error messages
      [CVE-2014-8161]
    - See release notes for details about other fixes:
      http://www.postgresql.org/about/news/1569/