2010年5月19日

[installer 2369] postgresql-8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, 7.4.29

postgresql-8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, 7.4.29 出ています。

複数のセキュリティホールの修正が含まれています。
http://www.postgresql.org/support/security
http://www.postgresql.org/about/news.1203
参照のこと。

☆ postgresql-8.4.4

http://www.postgresql.org/
ftp://ftp.postgresql.org/pub/source/v8.4.4/postgresql-8.4.4.tar.gz

Release 8.4.4

Release date: 2010-05-17

This release contains a variety of fixes from 8.4.3. For information
about new features in the 8.4 major release, see the Section called
Release 8.4.
__________________________________________________________________

Migration to Version 8.4.4

A dump/restore is not required for those running 8.4.X. However, if you
are upgrading from a version earlier than 8.4.2, see the release notes
for 8.4.2.
__________________________________________________________________

Changes

* Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm" (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
* Prevent PL/Tcl from executing untrustworthy code from pltcl_modules
(Tom)
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
* Fix data corruption during WAL replay of ALTER ... SET TABLESPACE
(Tom)
When archive_mode is on, ALTER ... SET TABLESPACE generates a WAL
record whose replay logic was incorrect. It could write the data to
the wrong place, leading to possibly-unrecoverable data corruption.
Data corruption would be observed on standby slaves, and could
occur on the master as well if a database crash and recovery
occurred after committing the ALTER and before the next checkpoint.
* Fix possible crash if a cache reset message is received during
rebuild of a relcache entry (Heikki)
This error was introduced in 8.4.3 while fixing a related failure.
* Apply per-function GUC settings while running the language
validator for the function (Itagaki Takahiro)
This avoids failures if the function's code is invalid without the
setting; an example is that SQL functions may not parse if the
search_path is not correct.
* Do constraint exclusion for inherited "UPDATE" and "DELETE" target
tables when constraint_exclusion = partition (Tom)
Due to an oversight, this setting previously only caused constraint
exclusion to be checked in "SELECT" commands.
* Do not allow an unprivileged user to reset superuser-only parameter
settings (Alvaro)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
* Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries (Tom)
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
* Fix erroneous handling of %r parameter in recovery_end_command
(Heikki)
The value always came out zero.
* Ensure the archiver process responds to changes in archive_command
as soon as possible (Tom)
* Fix pl/pgsql's CASE statement to not fail when the case expression
is a query that returns no rows (Tom)
* Update pl/perl's "ppport.h" for modern Perl versions (Andrew)
* Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
* Handle empty-string connect parameters properly in ecpg (Michael)
* Prevent infinite recursion in psql when expanding a variable that
refers to itself (Tom)
* Fix psql's \copy to not add spaces around a dot within \copy
(select ...) (Tom)
Addition of spaces around the decimal point in a numeric literal
would result in a syntax error.
* Avoid formatting failure in psql when running in a locale context
that doesn't match the client_encoding (Tom)
* Fix unnecessary "GIN indexes do not support whole-index scans"
errors for unsatisfiable queries using "contrib/intarray" operators
(Tom)
* Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly (Tatsuhito Kasahara)
* Make server startup deal properly with the case that shmget()
returns EINVAL for an existing shared memory segment (Tom)
This behavior has been observed on BSD-derived kernels including OS
X. It resulted in an entirely-misleading startup failure
complaining that the shared memory request size was too large.
* Avoid possible crashes in syslogger process on Windows (Heikki)
* Deal more robustly with incomplete time zone information in the
Windows registry (Magnus)
* Update the set of known Windows time zone names (Magnus)
* Update time zone data files to tzdata release 2010j for DST law
changes in Argentina, Australian Antarctic, Bangladesh, Mexico,
Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also
historical corrections for Taiwan.
Also, add PKST (Pakistan Summer Time) to the default set of
timezone abbreviations.


☆ postgresql-8.3.11
http://www.postgresql.org/
ftp://ftp.postgresql.org/pub/source/v8.3.11/postgresql-8.3.11.tar.gz

Release 8.3.11

Release date: 2010-05-17

This release contains a variety of fixes from 8.3.10. For information
about new features in the 8.3 major release, see the Section called
Release 8.3.
__________________________________________________________________

Migration to Version 8.3.11

A dump/restore is not required for those running 8.3.X. However, if you
are upgrading from a version earlier than 8.3.8, see the release notes
for 8.3.8.
__________________________________________________________________

Changes

* Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm" (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
* Prevent PL/Tcl from executing untrustworthy code from pltcl_modules
(Tom)
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
* Fix possible crash if a cache reset message is received during
rebuild of a relcache entry (Heikki)
This error was introduced in 8.3.10 while fixing a related failure.
* Apply per-function GUC settings while running the language
validator for the function (Itagaki Takahiro)
This avoids failures if the function's code is invalid without the
setting; an example is that SQL functions may not parse if the
search_path is not correct.
* Do not allow an unprivileged user to reset superuser-only parameter
settings (Alvaro)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
* Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries (Tom)
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
* Ensure the archiver process responds to changes in archive_command
as soon as possible (Tom)
* Update pl/perl's "ppport.h" for modern Perl versions (Andrew)
* Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
* Prevent infinite recursion in psql when expanding a variable that
refers to itself (Tom)
* Fix psql's \copy to not add spaces around a dot within \copy
(select ...) (Tom)
Addition of spaces around the decimal point in a numeric literal
would result in a syntax error.
* Fix unnecessary "GIN indexes do not support whole-index scans"
errors for unsatisfiable queries using "contrib/intarray" operators
(Tom)
* Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly (Tatsuhito Kasahara)
* Make server startup deal properly with the case that shmget()
returns EINVAL for an existing shared memory segment (Tom)
This behavior has been observed on BSD-derived kernels including OS
X. It resulted in an entirely-misleading startup failure
complaining that the shared memory request size was too large.
* Avoid possible crashes in syslogger process on Windows (Heikki)
* Deal more robustly with incomplete time zone information in the
Windows registry (Magnus)
* Update the set of known Windows time zone names (Magnus)
* Update time zone data files to tzdata release 2010j for DST law
changes in Argentina, Australian Antarctic, Bangladesh, Mexico,
Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also
historical corrections for Taiwan.
Also, add PKST (Pakistan Summer Time) to the default set of
timezone abbreviations.


☆ postgresql-8.2.17
http://www.postgresql.org/
ftp://ftp.postgresql.org/pub/source/v8.2.17/postgresql-8.2.17.tar.gz

Release 8.2.17

Release date: 2010-05-17

This release contains a variety of fixes from 8.2.16. For information
about new features in the 8.2 major release, see the Section called
Release 8.2.
__________________________________________________________________

Migration to Version 8.2.17

A dump/restore is not required for those running 8.2.X. However, if you
are upgrading from a version earlier than 8.2.14, see the release notes
for 8.2.14.
__________________________________________________________________

Changes

* Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm" (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
* Prevent PL/Tcl from executing untrustworthy code from pltcl_modules
(Tom)
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
* Fix possible crash if a cache reset message is received during
rebuild of a relcache entry (Heikki)
This error was introduced in 8.2.16 while fixing a related failure.
* Do not allow an unprivileged user to reset superuser-only parameter
settings (Alvaro)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
* Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries (Tom)
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
* Update pl/perl's "ppport.h" for modern Perl versions (Andrew)
* Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
* Prevent infinite recursion in psql when expanding a variable that
refers to itself (Tom)
* Fix psql's \copy to not add spaces around a dot within \copy
(select ...) (Tom)
Addition of spaces around the decimal point in a numeric literal
would result in a syntax error.
* Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly (Tatsuhito Kasahara)
* Make server startup deal properly with the case that shmget()
returns EINVAL for an existing shared memory segment (Tom)
This behavior has been observed on BSD-derived kernels including OS
X. It resulted in an entirely-misleading startup failure
complaining that the shared memory request size was too large.
* Avoid possible crashes in syslogger process on Windows (Heikki)
* Deal more robustly with incomplete time zone information in the
Windows registry (Magnus)
* Update the set of known Windows time zone names (Magnus)
* Update time zone data files to tzdata release 2010j for DST law
changes in Argentina, Australian Antarctic, Bangladesh, Mexico,
Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also
historical corrections for Taiwan.
Also, add PKST (Pakistan Summer Time) to the default set of
timezone abbreviations.


☆ postgresql-8.1.21
http://www.postgresql.org/
ftp://ftp.postgresql.org/pub/source/v8.1.21/postgresql-8.1.21.tar.gz

Release 8.1.21

Release date: 2010-05-17

This release contains a variety of fixes from 8.1.20. For information
about new features in the 8.1 major release, see the Section called
Release 8.1.
__________________________________________________________________

Migration to Version 8.1.21

A dump/restore is not required for those running 8.1.X. However, if you
are upgrading from a version earlier than 8.1.18, see the release notes
for 8.1.18.
__________________________________________________________________

Changes

* Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm" (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
* Prevent PL/Tcl from executing untrustworthy code from pltcl_modules
(Tom)
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
* Do not allow an unprivileged user to reset superuser-only parameter
settings (Alvaro)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
* Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries (Tom)
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
* Update pl/perl's "ppport.h" for modern Perl versions (Andrew)
* Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
* Prevent infinite recursion in psql when expanding a variable that
refers to itself (Tom)
* Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly (Tatsuhito Kasahara)
* Make server startup deal properly with the case that shmget()
returns EINVAL for an existing shared memory segment (Tom)
This behavior has been observed on BSD-derived kernels including OS
X. It resulted in an entirely-misleading startup failure
complaining that the shared memory request size was too large.
* Update time zone data files to tzdata release 2010j for DST law
changes in Argentina, Australian Antarctic, Bangladesh, Mexico,
Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also
historical corrections for Taiwan.


☆ postgresql-8.0.25
http://www.postgresql.org/
ftp://ftp.postgresql.org/pub/source/v8.0.25/postgresql-8.0.25.tar.gz

Release 8.0.25

Release date: 2010-05-17

This release contains a variety of fixes from 8.0.24. For information
about new features in the 8.0 major release, see the Section called
Release 8.0.

The PostgreSQL community will stop releasing updates for the 8.0.X
release series in July 2010. Users are encouraged to update to a newer
release branch soon.
__________________________________________________________________

Migration to Version 8.0.25

A dump/restore is not required for those running 8.0.X. However, if you
are upgrading from a version earlier than 8.0.22, see the release notes
for 8.0.22.
__________________________________________________________________

Changes

* Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm" (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
* Prevent PL/Tcl from executing untrustworthy code from pltcl_modules
(Tom)
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
* Do not allow an unprivileged user to reset superuser-only parameter
settings (Alvaro)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
* Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries (Tom)
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
* Update pl/perl's "ppport.h" for modern Perl versions (Andrew)
* Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
* Prevent infinite recursion in psql when expanding a variable that
refers to itself (Tom)
* Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly (Tatsuhito Kasahara)
* Make server startup deal properly with the case that shmget()
returns EINVAL for an existing shared memory segment (Tom)
This behavior has been observed on BSD-derived kernels including OS
X. It resulted in an entirely-misleading startup failure
complaining that the shared memory request size was too large.
* Update time zone data files to tzdata release 2010j for DST law
changes in Argentina, Australian Antarctic, Bangladesh, Mexico,
Morocco, Pakistan, Palestine, Russia, Syria, Tunisia; also
historical corrections for Taiwan.


☆ postgresql-7.4.29
http://www.postgresql.org/
ftp://ftp.postgresql.org/pub/source/v7.4.29/postgresql-7.4.29.tar.gz

Release 7.4.29

Release date: 2010-05-17

This release contains a variety of fixes from 7.4.28. For information
about new features in the 7.4 major release, see the Section called
Release 7.4.

The PostgreSQL community will stop releasing updates for the 7.4.X
release series in July 2010. Users are encouraged to update to a newer
release branch soon.
__________________________________________________________________

Migration to Version 7.4.29

A dump/restore is not required for those running 7.4.X. However, if you
are upgrading from a version earlier than 7.4.26, see the release notes
for 7.4.26.
__________________________________________________________________

Changes

* Enforce restrictions in plperl using an opmask applied to the whole
interpreter, instead of using "Safe.pm" (Tim Bunce, Andrew Dunstan)
Recent developments have convinced us that "Safe.pm" is too
insecure to rely on for making plperl trustable. This change
removes use of "Safe.pm" altogether, in favor of using a separate
interpreter with an opcode mask that is always applied. Pleasant
side effects of the change include that it is now possible to use
Perl's strict pragma in a natural way in plperl, and that Perl's $a
and $b variables work as expected in sort routines, and that
function compilation is significantly faster. (CVE-2010-1169)
* Prevent PL/Tcl from executing untrustworthy code from pltcl_modules
(Tom)
PL/Tcl's feature for autoloading Tcl code from a database table
could be exploited for trojan-horse attacks, because there was no
restriction on who could create or insert into that table. This
change disables the feature unless pltcl_modules is owned by a
superuser. (However, the permissions on the table are not checked,
so installations that really need a less-than-secure modules table
can still grant suitable privileges to trusted non-superusers.)
Also, prevent loading code into the unrestricted "normal" Tcl
interpreter unless we are really going to execute a pltclu
function. (CVE-2010-1170)
* Do not allow an unprivileged user to reset superuser-only parameter
settings (Alvaro)
Previously, if an unprivileged user ran ALTER USER ... RESET ALL
for himself, or ALTER DATABASE ... RESET ALL for a database he
owns, this would remove all special parameter settings for the user
or database, even ones that are only supposed to be changeable by a
superuser. Now, the "ALTER" will only remove the parameters that
the user has permission to change.
* Avoid possible crash during backend shutdown if shutdown occurs
when a CONTEXT addition would be made to log entries (Tom)
In some cases the context-printing function would fail because the
current transaction had already been rolled back when it came time
to print a log message.
* Update pl/perl's "ppport.h" for modern Perl versions (Andrew)
* Fix assorted memory leaks in pl/python (Andreas Freund, Tom)
* Ensure that "contrib/pgstattuple" functions respond to cancel
interrupts promptly (Tatsuhito Kasahara)
* Make server startup deal properly with the case that shmget()
returns EINVAL for an existing shared memory segment (Tom)
This behavior has been observed on BSD-derived kernels including OS
X. It resulted in an entirely-misleading startup failure
complaining that the shared memory request size was too large.

----
こがよういちろう


投稿者 xml-rpc : 2010年5月19日 10:03
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/95845
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。