Change log for postgresql package in Ubuntu
| 1 → 16 of 16 results | First • Previous • Next • Last |
postgresql (7.5.22) unstable; urgency=low
* debian/control: Make postgresql-contrib package description more
consistent. Closes: #383954
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 12 Dec 2006 11:03:27 +0000
postgresql (7.5.21) unstable; urgency=low
* Add debian/postgresql-client.postrm: Remove
/etc/postgresql/postgresql.env.dpkg-old on purge. Closes: #380168
* Add debian/postgresql.postrm: Remove various *.dpkg-old files which were
created during the transition in the postinst. Closes: #380167
* debian/postgresql.post{inst,rm}: Also clean up old logcheck conffiles.
(part of #380167)
* debian/control: Bump Standards-Version (no changes needed).
* debian/copyright: Update FSF address.
-- Martin Pitt <email address hidden> Fri, 08 Sep 2006 18:04:23 +0100
postgresql (7.5.20) unstable; urgency=low
* debian/control: Conflict to postgis << 1.1.2 to ensure that the postgis
files are in their proper location. It's not an issue for sarge upgrades
anyway since postgis is not yet in sarge (and the current postgis does not
supoprt 7.4). Closes: #321850
-- Ubuntu Archive Auto-Sync <email address hidden> Sun, 02 Jul 2006 21:04:29 +0100
postgresql (7.5.19) unstable; urgency=medium
* debian/postgresql.preinst: Check if /etc/init.d/postgresql exists before
attempting to call it. Closes: #363393
| Obsolete in hoary-security |
postgresql (7.4.7-2ubuntu2.3) hoary-security; urgency=low
* SECURITY UPDATE: Remote SQL injection.
* Add debian/patches/54reject-invalid-encoding.patch:
- Change the backend to reject strings containing invalidly-encoded
multibyte characters in all cases. Formerly we mostly just threw warnings
for invalid input, and failed to detect it at all if no encoding
conversion was required. The tighter check is needed to defend
against SQL-injection attacks.
- Also, fix a few longstanding errors in little-used encoding conversion
routines: win1251_to_iso, win866_to_iso, euc_tw_to_big5, euc_tw_to_mic,
mic_to_euc_tw were all broken to varying extents.
- Patch backported from 8.0.8.
- CVE-2006-2313
* Add debian/patches/55backslash_quote-guc.patch:
- Add a new GUC parameter backslash_quote, which determines whether the
SQL parser will allow "\'" to be used to represent a literal quote mark.
The "\'" representation has been deprecated for some time in favor of the
SQL-standard representation "''" (two single quote marks), but it has been
used often enough that just disallowing it immediately won't do. Hence
backslash_quote allows the settings "on", "off", and "safe_encoding", the
last meaning to allow "\'" only if client_encoding is a valid server
encoding. That is now the default, and the reason is that in encodings
such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a
multibyte character, accepting "\'" allows SQL-injection attacks.
- The "on" setting is available for backward compatibility, but it must
not be used with clients that are exposed to untrusted input.
- Patch backported from 8.0.8.
- CVE-2006-2314
* Add debian/patches/56quote-escaping.patch:
- Change escaping from \' to '' throughout the code (in client programs
and contrib modules).
- Patch backported from 8.0.8.
* Add debian/patches/57libpq-string-escaping.patch:
- Modify libpq's string-escaping routines to be aware of encoding
considerations and standard_conforming_strings. The encoding changes are
needed for proper escaping in multibyte encodings, as per the
SQL-injection vulnerabilities noted in CVE-2006-2313 and CVE-2006-2314.
- Since the existing API of PQescapeString and PQescapeBytea provides no
way to inform them which settings are in use, these functions are now
deprecated in favor of new functions PQescapeStringConn and
PQescapeByteaConn. The new functions take the PGconn to which the string
will be sent as an additional parameter, and look inside the connection
structure to determine what to do. So as to provide some functionality
for clients using the old functions, libpq stores the latest encoding and
standard_conforming_strings values received from the backend in
static variables, and the old functions consult these variables.
This will work reliably in clients using only one Postgres
connection at a time, or even multiple connections if they all use
the same encoding and string syntax settings; which should cover
many practical scenarios.
- Clients that use homebrew escaping methods, such as PHP's addslashes()
function or even hardwired regexp substitution, will require extra effort
to fix :-(. It is strongly recommended that such code be replaced by use
of PQescapeStringConn/PQescapeByteaConn if at all feasible.
- Patch backported from 8.0.8.
* Add debian/patches/58indexscan-duplicate-tuples.patch:
- Fix nasty bug in nodeIndexscan.c's detection of duplicate tuples during
a multiple (OR'ed) indexscan. It was checking for duplicate
tuple->t_data->t_ctid, when what it should be checking is tuple->t_self.
- Patch backported from 8.0.8.
-- Martin Pitt <email address hidden> Wed, 24 May 2006 17:33:01 +0000
| Superseded in hoary-security |
postgresql (7.4.7-2ubuntu2.2) hoary-security; urgency=low
* SECURITY UPDATE: Local DoS.
* Add debian/patches/53CVE-2006-0678:
- Fix bug in SET SESSION AUTHORIZATION that allows unprivileged users to
crash the server, if it has been compiled with Asserts enabled (which is
not the default). Thanks to Akio Ishida for reporting this problem.
- Patch backported from 8.0.7.
- CVE-2006-0678 (note: this is not CVE-2006-0553; that only applies to 8.1
and has the same cause, but a different impact).
-- Martin Pitt <email address hidden> Fri, 24 Feb 2006 13:20:56 +0000
| Obsolete in warty-security |
postgresql (7.4.5-3ubuntu0.6) warty-security; urgency=low
* SECURITY UPDATE: Local DoS.
* Add debian/patches/53CVE-2006-0678:
- Fix bug in SET SESSION AUTHORIZATION that allows unprivileged users to
crash the server, if it has been compiled with Asserts enabled (which is
not the default). Thanks to Akio Ishida for reporting this problem.
- Patch backported from 8.0.7.
- CVE-2006-0678 (note: this is not CVE-2006-0553; that only applies to 8.1
and has the same cause, but a different impact).
-- Martin Pitt <email address hidden> Fri, 24 Feb 2006 13:34:17 +0000
postgresql (7.5.16.1) dapper; urgency=low
* Fake sync from Debian to get bug fixes for the transition to the new
architecture (only affects upgrades from Hoary, though).
postgresql (7.5.15) unstable; urgency=high
* Urgency high since this bug broke upgrades from Sarge.
* debian/postgresql.preinst: Stop postmaster so that it really is not
running during the transition.
* Add test-psql-transition: Test script that uses pbuilder to test the
upgrade from Sarge to the new infrastructure. This is not shipped.
-- Martin Pitt <email address hidden> Thu, 29 Dec 2005 15:47:22 +0100
postgresql (7.5.14) unstable; urgency=medium
* Urgency medium, this upload just fixes a bug that will break sarge
upgrades with postgresql-common 38.
* debian/postgresql.postinst: Drop the obsolete -s from the pg_ctlcluster
call.
-- Martin Pitt <email address hidden> Wed, 28 Dec 2005 15:06:38 +0100
postgresql (7.5.13) unstable; urgency=high
* Urgency high since the only change is a simple bug fix.
* Fix the path of the plpgsql.so symlink. (Brown paperbag...).
Closes: #337514
-- Martin Pitt <email address hidden> Sat, 5 Nov 2005 08:11:18 -0500
postgresql (7.5.9) unstable; urgency=low
* Recommend the split out PL/* languages and add a note to the package
description.
* Remove obsolete conffile /etc/cron.d/postgresql (if unchanged).
-- Martin Pitt <email address hidden> Wed, 31 Aug 2005 11:41:43 +0200
postgresql (7.4.7-2ubuntu2.1) hoary-security; urgency=low
* SECURITY UPDATE: Fix potential buffer overflows and crashes.
* Added debian/patches/51CAN-2005-1409:
- Change the signature of conversion functions to declare the
output area as INTERNAL, not CSTRING. This prevents users from calling
the functions by hand.
- CAN-2005-1409
* Added debian/patches/52CAN-2005-1410:
- Change the signature of tsearch2 modules to take INTERNAL instead of
TEXT. This prevents users from calling the functions by hand.
- CAN-2005-1410
* debian/postinst.in:
- Added function db_security_update_CAN_2005_1409_1410() which applies
above fixes to all already existing databases.
- Call that function if upgrading from earlier releases.
-- Martin Pitt <email address hidden> Wed, 4 May 2005 12:31:16 +0200
| Obsolete in hoary-release |
postgresql (7.4.7-2ubuntu2) hoary; urgency=low
* debian/postgresql.init: Create socket directory /var/run/postgresql if it
does not exist. This happens if /var/run is mounted on a tmpfs.
(Ubuntu #6168)
-- Martin Pitt <email address hidden> Thu, 17 Feb 2005 14:24:55 +0100
postgresql (7.4.5-3ubuntu0.5) warty-security; urgency=low
* SECURITY UPDATE: Fix potential buffer overflows and crashes.
* Added debian/patches/51CAN-2005-1409:
- Change the signature of conversion functions to declare the
output area as INTERNAL, not CSTRING. This prevents users from calling
the functions by hand.
- CAN-2005-1409
* Added debian/patches/52CAN-2005-1410:
- Change the signature of tsearch2 modules to take INTERNAL instead of
TEXT. This prevents users from calling the functions by hand.
- CAN-2005-1410
* debian/postinst.in:
- Added function db_security_update_CAN_2005_1409_1410() which applies
above fixes to all already existing databases.
- Call that function if upgrading from earlier releases.
-- Martin Pitt <email address hidden> Wed, 4 May 2005 12:59:54 +0200
postgresql (7.4.5-3) unstable; urgency=medium
* Still urgency medium since this is an RC bug and the previous medium
upload has not yet gone into testing
* postinst.in: always assign a default value to TMPFILE if it is not set.
Closes: #269465
-- Martin Pitt <email address hidden> Thu, 2 Sep 2004 08:04:41 +0200
| 1 → 16 of 16 results | First • Previous • Next • Last |
