Format: 1.8 Date: Thu, 16 Aug 2012 17:10:53 -0500 Source: postgresql-8.4 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-8.4 postgresql-client-8.4 postgresql-server-dev-8.4 postgresql-doc-8.4 postgresql-contrib-8.4 postgresql-plperl-8.4 postgresql-plpython-8.4 postgresql-pltcl-8.4 postgresql postgresql-client postgresql-doc postgresql-contrib Architecture: all i386_translations i386 Version: 8.4.13-0ubuntu11.04 Distribution: natty Urgency: low Maintainer: Ubuntu/amd64 Build Daemon Changed-By: Jamie Strandboge Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 8.4 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql - object-relational SQL database (supported version) postgresql-8.4 - object-relational SQL database, version 8.4 server postgresql-client - front-end programs for PostgreSQL (supported version) postgresql-client-8.4 - front-end programs for PostgreSQL 8.4 postgresql-contrib - additional facilities for PostgreSQL (supported version) postgresql-contrib-8.4 - additional facilities for PostgreSQL postgresql-doc - documentation for the PostgreSQL database management system postgresql-doc-8.4 - documentation for the PostgreSQL database management system postgresql-plperl-8.4 - PL/Perl procedural language for PostgreSQL 8.4 postgresql-plpython-8.4 - PL/Python procedural language for PostgreSQL 8.4 postgresql-pltcl-8.4 - PL/Tcl procedural language for PostgreSQL 8.4 postgresql-server-dev-8.4 - development files for PostgreSQL 8.4 server-side programming Changes: postgresql-8.4 (8.4.13-0ubuntu11.04) natty-security; urgency=low . * New upstream security/bug fix release: - Prevent access to external files/URLs via XML entity references (Noah Misch, Tom Lane) xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489) - Prevent access to external files/URLs via "contrib/xml2"'s xslt_process() (Peter Eisentraut) libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488) Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it. - Prevent too-early recycling of btree index pages (Noah Misch) When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed. - Fix crash-safety bug with newly-created-or-reset sequences (Tom Lane) If "ALTER SEQUENCE" was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an "ALTER SEQUENCE OWNED BY" step. - Ensure the "backup_label" file is fsync'd after pg_start_backup() (Dave Kerr) - Back-patch 9.1 improvement to compress the fsync request queue (Robert Haas) This improves performance during checkpoints. The 9.1 change has now seen enough field testing to seem safe to back-patch. - Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane) The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period. - Improve logging of autovacuum cancels (Robert Haas) - Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane) - Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane) - Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane) - Disallow copying whole-row references in CHECK constraints and index definitions during "CREATE TABLE" (Tom Lane) This situation can arise in "CREATE TABLE" with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch. - Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane) - Fix extraction of common prefixes from regular expressions (Tom Lane) The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns. - Fix bugs with parsing signed "hh":"mm" and "hh":"mm":"ss" fields in interval constants (Amit Kapila, Tom Lane) - Report errors properly in "contrib/xml2"'s xslt_process() (Tom Lane) - Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau Checksums-Sha1: 5a0140e587fe5e24f0b727aa644647da0a63f7bb 2175762 postgresql-doc-8.4_8.4.13-0ubuntu11.04_all.deb d61367feac4d02ac562eda20d1081019dfbd5f47 2357921 postgresql-8.4_8.4.13-0ubuntu11.04_i386_translations.tar.gz dddae8e0459865d1b485df9638d51f5e2e778b1e 20008 postgresql_8.4.13-0ubuntu11.04_all.deb be7372a8e3be24ca79d6416553bf1cf59aadfe08 19982 postgresql-client_8.4.13-0ubuntu11.04_all.deb f18a69d9bd53d07c7f1cea2d7c91e04e2e43effa 3444 postgresql-doc_8.4.13-0ubuntu11.04_all.deb 369bd603f3f577c197713f46d1dde30e09700c59 19884 postgresql-contrib_8.4.13-0ubuntu11.04_all.deb aaba406afbaa9b9afce93dbba0057612643ba5da 193674 libpq-dev_8.4.13-0ubuntu11.04_i386.deb b1cad66e5a0a5078920bff9757ada64d6bb8243e 85180 libpq5_8.4.13-0ubuntu11.04_i386.deb b56f78b2a8a3c2434ae4d8b60f39fc35760690f6 32126 libecpg6_8.4.13-0ubuntu11.04_i386.deb fcebb362eb987c8df164ceb3074e9d7a1dca6bf6 228678 libecpg-dev_8.4.13-0ubuntu11.04_i386.deb f2664f1e755ab7c803046bcb1e25849fac585eb7 10328 libecpg-compat3_8.4.13-0ubuntu11.04_i386.deb 9d2b4a4ca1b302961eacfa448bee90318242e2a0 50014 libpgtypes3_8.4.13-0ubuntu11.04_i386.deb db340fd75d4878b465b82309157aea53f5b9f228 3867210 postgresql-8.4_8.4.13-0ubuntu11.04_i386.deb 73da02a22383e40f98e870c755958516f88f2c6c 776196 postgresql-client-8.4_8.4.13-0ubuntu11.04_i386.deb 84063b6774209fb41fd05728b9ed38bc89ddfb28 635290 postgresql-server-dev-8.4_8.4.13-0ubuntu11.04_i386.deb 4cd1361348f46bc6e9eaadca5c8825cd36352a03 362548 postgresql-contrib-8.4_8.4.13-0ubuntu11.04_i386.deb 5f82929cfe7194b9ebcde2c17cfef116687e8895 46910 postgresql-plperl-8.4_8.4.13-0ubuntu11.04_i386.deb c33789b55a9ebd7cc5a2788fcb06e4bb910da138 39342 postgresql-plpython-8.4_8.4.13-0ubuntu11.04_i386.deb c333dee292327c3483da62768e3034ecb623c98c 38360 postgresql-pltcl-8.4_8.4.13-0ubuntu11.04_i386.deb Checksums-Sha256: ceb851ede076164bbeff5396c383f92a5dc3415e23dbd986a23b85bb78da7fb2 2175762 postgresql-doc-8.4_8.4.13-0ubuntu11.04_all.deb c69a658164becca4f965f6b337060dfc8bd570a3fdb4471579210ef261dbaec8 2357921 postgresql-8.4_8.4.13-0ubuntu11.04_i386_translations.tar.gz 495e6e2ebeb038eea966771ce64ef3069f7358323b31731f014da164efc139fa 20008 postgresql_8.4.13-0ubuntu11.04_all.deb 675d6fb0c49ae75152c20819da76dbe9309bf39728a10e1c758357da07ea7014 19982 postgresql-client_8.4.13-0ubuntu11.04_all.deb 3e0c7e6590d4d0b25c77a24f2ffb69ea80b2d71810eadae82558d3ba5b7e46d4 3444 postgresql-doc_8.4.13-0ubuntu11.04_all.deb a84589cf3b4c0b0e3f2910b3304e3aeedfeeead48502786ef5871055e05b473f 19884 postgresql-contrib_8.4.13-0ubuntu11.04_all.deb adf6337e699e5d7be4b9dcaf521ad1e80bbad6c76f642233915857b86acdbf96 193674 libpq-dev_8.4.13-0ubuntu11.04_i386.deb b45345da7f05500561d2a8a8b1b986887007a3844acbd32f1bb3c55dc2af394a 85180 libpq5_8.4.13-0ubuntu11.04_i386.deb 9f7682b351968f6d942e72582e57e23b9ca7bce6777834609267b025dba49810 32126 libecpg6_8.4.13-0ubuntu11.04_i386.deb 8283a806b4c3dd7b4c6b891f55b3079e57546d1615f54539021a96bbc7745a10 228678 libecpg-dev_8.4.13-0ubuntu11.04_i386.deb d9f24c974d2f144641bd2405a47bd20aaa6d30420a5207f36d54cce0280a0b3c 10328 libecpg-compat3_8.4.13-0ubuntu11.04_i386.deb d80750b818c6d716cf573d8127e2aadff36c261109acf0e1416dd5dbafe876b1 50014 libpgtypes3_8.4.13-0ubuntu11.04_i386.deb 025b3b6944825eed2874b044f1a38dbbd79041e869135f8a127ca86e0ef2f5c4 3867210 postgresql-8.4_8.4.13-0ubuntu11.04_i386.deb f5ec6f5a89f0a6b2073ab5eff1d4026e806fdee1c4e0196603111d5887b73f10 776196 postgresql-client-8.4_8.4.13-0ubuntu11.04_i386.deb c75a8d74859d2c8fa4796437060e28ed03876f3b7d4cb24893e9c64178b238bb 635290 postgresql-server-dev-8.4_8.4.13-0ubuntu11.04_i386.deb 172596930cb1f2e297c32fd9c19e1125636ab5f613d2914c2b0fe8a2f7b0fd78 362548 postgresql-contrib-8.4_8.4.13-0ubuntu11.04_i386.deb c434958021752257a424fc63e49d6ecffdd41227a063765f67512ce1f2765a68 46910 postgresql-plperl-8.4_8.4.13-0ubuntu11.04_i386.deb 48fb4f8582916e947b387efa2ad770d299096cdf283e1e7d2c480655d0b53d58 39342 postgresql-plpython-8.4_8.4.13-0ubuntu11.04_i386.deb 06df9b2cd4d2e7a166f59050af07e334663accb02ad91e58fb47b8bd7e4d55ba 38360 postgresql-pltcl-8.4_8.4.13-0ubuntu11.04_i386.deb Files: d49d105dada95386b3621132f8937be2 2175762 doc optional postgresql-doc-8.4_8.4.13-0ubuntu11.04_all.deb 43befcf24dbf7016c3f04b9497dd3cb5 2357921 raw-translations - postgresql-8.4_8.4.13-0ubuntu11.04_i386_translations.tar.gz de32967a18b8e39d7c084df061dd2e20 20008 database optional postgresql_8.4.13-0ubuntu11.04_all.deb 68783784c62bbf44631f7558d2cce750 19982 database optional postgresql-client_8.4.13-0ubuntu11.04_all.deb 964d18c3bd8f265029489769493123d3 3444 doc optional postgresql-doc_8.4.13-0ubuntu11.04_all.deb 669f1b6e7f4f7bcef32e5b309456294e 19884 database optional postgresql-contrib_8.4.13-0ubuntu11.04_all.deb fc06acdeadc0865bb03de8cff7ad9e06 193674 libdevel optional libpq-dev_8.4.13-0ubuntu11.04_i386.deb 9a8078bc039edc54d9810febba9aac1a 85180 libs optional libpq5_8.4.13-0ubuntu11.04_i386.deb 9ff9ae225708f361e619c8139393af6b 32126 libs optional libecpg6_8.4.13-0ubuntu11.04_i386.deb 1a7dc877aab34ca6cb7d28f4135c58b2 228678 libdevel optional libecpg-dev_8.4.13-0ubuntu11.04_i386.deb 107d021e8cee3d5e57a34b5588b22d8e 10328 libs optional libecpg-compat3_8.4.13-0ubuntu11.04_i386.deb 352786ec35abd3d59fe38ed7d2633654 50014 libs optional libpgtypes3_8.4.13-0ubuntu11.04_i386.deb 392fc2a98b4ad49b539b224780d8ea34 3867210 database optional postgresql-8.4_8.4.13-0ubuntu11.04_i386.deb 6b9815caecb3ea7401e2e7801d4bbc37 776196 database optional postgresql-client-8.4_8.4.13-0ubuntu11.04_i386.deb 1159088121f5f657b011b8c895e8f87c 635290 libdevel optional postgresql-server-dev-8.4_8.4.13-0ubuntu11.04_i386.deb bbc1f96037d08185997ffebed47654cb 362548 database optional postgresql-contrib-8.4_8.4.13-0ubuntu11.04_i386.deb 8154e016a34c5433b1a37b0c6213919d 46910 database optional postgresql-plperl-8.4_8.4.13-0ubuntu11.04_i386.deb 28a7336fff7c25bbbafe3d72b1339492 39342 database optional postgresql-plpython-8.4_8.4.13-0ubuntu11.04_i386.deb 0ce8a7955e93236f99ee3fe912a76ed3 38360 database optional postgresql-pltcl-8.4_8.4.13-0ubuntu11.04_i386.deb Original-Maintainer: Martin Pitt