Postgres. The PL/Python intepreter is a full Python interpreter.
in it). It has therefore been named "plpythonu". The trusted variant
2013-04-04 23:08:38 by Adam Ciarcinski | Files touched by this commit (66) | |
Log message:
The PostgreSQL Global Development Group has released a security update to all \
current versions of the PostgreSQL database system, including versions 9.2.4, \
9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security \
vulnerability in versions 9.0 and later. All users of the affected versions are \
strongly urged to apply the update immediately.
A major security issue fixed in this release, CVE-2013-1899, makes it possible \
for a connection request containing a database name that begins with \
"-" to be crafted that can damage or destroy files within a server's \
data directory. Anyone with access to the port the PostgreSQL server listens on \
can initiate this request.
Two lesser security fixes are also included in this release: CVE-2013-1900, \
wherein random numbers generated by contrib/pgcrypto functions may be easy for \
another database user to guess, and CVE-2013-1901, which mistakenly allows an \
unprivileged user to run commands that could interfere with in-progress backups. \
Finally, this release fixes two security issues with the graphical installers \
for Linux and Mac OS X: insecure passing of superuser passwords to a script, \
CVE-2013-1903 and the use of predictable filenames in /tmp CVE-2013-1902.
|
2013-02-09 12:19:19 by Adam Ciarcinski | Files touched by this commit (86) | |
Log message:
The PostgreSQL Global Development Group has released a security update to all \
current versions of the PostgreSQL database system, including versions 9.2.3, \
9.1.8, 9.0.12, 8.4.16, and 8.3.23. This update fixes a denial-of-service (DOS) \
vulnerability. All users should update their PostgreSQL installations as soon as \
possible.
The security issue fixed in this release, CVE-2013-0255, allows a previously \
authenticated user to crash the server by calling an internal function with \
invalid arguments. This issue was discovered by independent security researcher \
Sumit Soni this week and reported via Secunia SVCRP, and we are grateful for \
their efforts in making PostgreSQL more secure.
Today's update also fixes a performance regression which caused a decrease in \
throughput when using dynamic queries in stored procedures in version 9.2. \
Applications which use PL/pgSQL's EXECUTE are strongly affected by this \
regression and should be updated. Additionally, we have fixed intermittent \
crashes caused by CREATE/DROP INDEX CONCURRENTLY, and multiple minor issues with \
replication.
This release is expected to be the final update for version 8.3, which is now \
End-of-Life (EOL). Users of version 8.3 should plan to upgrade to a later \
version of PostgreSQL immediately. For more information, see our Versioning \
Policy.
This update release also contains fixes for many minor issues discovered and \
patched by the PostgreSQL community in the last two months, including:
* Prevent unnecessary table scans during vacuuming
* Prevent spurious cached plan error in PL/pgSQL
* Allow sub-SELECTs to be subscripted
* Prevent DROP OWNED from dropping databases or tablespaces
* Make ECPG use translated messages
* Allow PL/Python to use multi-table trigger functions (again) in 9.1 and 9.2
* Fix several activity log management issues on Windows
* Prevent autovacuum file truncation from being cancelled by deadlock_timeout
* Make extensions build with the .exe suffix automatically on Windows
* Fix concurrency issues with CREATE/DROP DATABASE
* Reject out-of-range values in to_date() conversion function
* Revert cost estimation for large indexes back to pre-9.2 behavior
* Make pg_basebackup tolerate timeline switches
* Cleanup leftover temp table entries during crash recovery
* Prevent infinite loop when COPY inserts a large tuple into a table with a \
large fillfactor
* Prevent integer overflow in dynahash creation
* Make pg_upgrade work with INVALID indexes
* Fix bugs in TYPE privileges
* Allow Contrib installchecks to run in their own databases
* Many documentation updates
* Add new timezone "FET".
|
2013-02-07 00:24:19 by Jonathan Perkin | Files touched by this commit (1351) | |
Log message:
PKGREVISION bumps for the security/openssl 1.0.1d update.
|
2012-10-02 23:25:56 by Aleksej Saushev | Files touched by this commit (323) |
Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
|
2012-07-01 21:19:42 by Daniel Horecki | Files touched by this commit (5) | |
Log message:
Security update to version 8.3.19.
Changes:
* Fix incorrect password transformation in contrib/pgcrypto's DES crypt() \
function (Solar Designer)
* If a password string contained the byte value 0x80, the remainder of the \
password was ignored, causing the password to be much weaker than it appeared. \
With this fix, the rest of the string is properly included in the DES hash. Any \
stored password values that are affected by this bug will thus no longer match, \
so the stored values may need to be updated. (CVE-2012-2143)
* Ignore SECURITY DEFINER and SET attributes for a procedural language's call \
handler (Tom Lane)
* Applying such attributes to a call handler could crash the server. (CVE-2012-2655)
* Allow numeric timezone offsets in timestamp input to be up to 16 hours away \
from UTC (Tom Lane)
* Some historical time zones have offsets larger than 15 hours, the previous \
limit. This could result in dumped data values being rejected during reload.
* Fix timestamp conversion to cope when the given time is exactly the last DST \
transition time for the current timezone (Tom Lane)
* This oversight has been there a long time, but was not noticed previously \
because most DST-using zones are presumed to have an indefinite sequence of \
future DST transitions.
* Fix text to name and char to name casts to perform string truncation correctly \
in multibyte encodings (Karl Schnaitter)
* Fix memory copying bug in to_tsquery() (Heikki Linnakangas)
* Fix slow session startup when pg_attribute is very large (Tom Lane)
* If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code \
that is sometimes needed during session start would trigger the \
synchronized-scan logic, causing it to take many times longer than normal. The \
problem was particularly acute if many new sessions were starting at once.
* Ensure sequential scans check for query cancel reasonably often (Merlin Moncure)
* A scan encountering many consecutive pages that contain no live tuples would \
not respond to interrupts meanwhile.
* Ensure the Windows implementation of PGSemaphoreLock() clears \
ImmediateInterruptOK before returning (Tom Lane)
* This oversight meant that a query-cancel interrupt received later in the same \
query could be accepted at an unsafe time, with unpredictable but not good \
consequences.
* Show whole-row variables safely when printing views or rules (Abbas Butt, Tom Lane)
* Corner cases involving ambiguous names (that is, the name could be either a \
table or column name of the query) were printed in an ambiguous way, risking \
that the view or rule would be interpreted differently after dump and reload. \
Avoid the ambiguous case by attaching a no-op cast.
* Ensure autovacuum worker processes perform stack depth checking properly \
(Heikki Linnakangas)
* Previously, infinite recursion in a function invoked by auto-ANALYZE could \
crash worker processes.
* Fix logging collector to not lose log coherency under high load (Andrew Dunstan)
* The collector previously could fail to reassemble large messages if it got too \
busy.
* Fix logging collector to ensure it will restart file rotation after receiving \
SIGHUP (Tom Lane)
* Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first \
variable (Tom Lane)
* Fix several performance problems in pg_dump when the database contains many \
objects (Jeff Janes, Tom Lane)
* pg_dump could get very slow if the database contained many schemas, or if many \
objects are in dependency loops, or if there are many owned sequences.
* Fix contrib/dblink's dblink_exec() to not leak temporary database connections \
upon error (Tom Lane)
* Update time zone data files to tzdata release 2012c for DST law changes in \
Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, \
Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.
|
2012-06-14 09:45:42 by Steven Drake | Files touched by this commit (1202) |
Log message:
Recursive PKGREVISION bump for libxml2 buildlink addition.
|
2012-03-15 12:53:45 by OBATA Akio | Files touched by this commit (170) |
Log message:
Bump PKGREVISION from default python to 2.7.
|
2011-04-23 00:58:18 by OBATA Akio | Files touched by this commit (4) | |
Log message:
reset PKGREVISION from base pkg update.
|