postgresql-8.1 (8.1.11-1) unstable; urgency=medium
* New upstream security/bugfix release:
- Prevent functions in indexes from executing with the privileges of
the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
within a SECURITY DEFINER context. [CVE-2007-6600]
- Suitably crafted regular-expression patterns could cause crashes,
infinite or near-infinite looping, and/or massive memory
consumption, all of which pose denial-of-service hazards for
applications that accept regex search patterns from untrustworthy
sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
- Require non-superusers who use "/contrib/dblink" to use only
password authentication, as a security measure.
The fix that appeared for this in 8.2.5 was incomplete, as it
plugged the hole for only some "dblink" functions. [CVE-2007-6601,
CVE-2007-3278]
- Fix planner failure in some cases of WHERE false AND var IN (SELECT
...).
- Preserve the tablespace and storage parameters of indexes that are
rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
- Make archive recovery always start a new WAL timeline, rather than
only when a recovery stop time was used. This avoids a corner-case risk
of trying to overwrite an existing archived copy of the last WAL
segment, and seems simpler and cleaner than the original definition.
- Make "VACUUM" not use all of maintenance_work_mem when the table is
too small for it to be useful.
- Fix potential crash in translate() when using a multibyte database
encoding.
- Fix overflow in extract(epoch from interval) for intervals
exceeding 68 years.
- Fix PL/Perl to not fail when a UTF-8 regular expression is used in
a trusted function.
- Fix PL/Python to not crash on long exception messages.
- Fix pg_dump to correctly handle inheritance child tables that have
default expressions different from their parent's.
- Fix libpq crash when PGPASSFILE refers to a file that is not a
plain file.
- ecpg parser fixes.
- Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a
category in its own right, rather than crashing.
- Fix tsvector and tsquery output routines to escape backslashes
correctly.
- Fix crash of to_tsvector() on huge input strings.
* Use the timezone database from the system tzdata instead of shipping our
own.
- debian/patches/04-timezone-symlinks.patch: Drop previous
hardlink-to-symlink patch to zic, since that is irrelevant now. Replace
the patch with a Makefile change that just symlinks /usr/share/zoneinfo
to where postgresql previously installed its own tzdata copy.
- debian/control: Add tzdata dependency.
- debian/postgresql-8.1.install: Install the 'timezone' symlink, not the
files in the dereferenced directory.
- debian/postgresql-8.1.postinst: Replace the timezone directory with the
symlink on upgrades, since dpkg does not do that automatically. Without
this, we'd end up with an empty timezone directory.
-- Martin Pitt <email address hidden> Tue, 08 Jan 2008 07:42:54 +0000
