Format: 1.7
Date: Thu, 16 Aug 2012 17:23:29 -0500
Source: postgresql-8.3
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-8.3 postgresql-client-8.3 postgresql-server-dev-8.3 postgresql-doc-8.3 postgresql-contrib-8.3 postgresql-plperl-8.3 postgresql-plpython-8.3 postgresql-pltcl-8.3 postgresql postgresql-client postgresql-doc postgresql-contrib
Architecture: sparc_translations sparc
Version: 8.3.20-0ubuntu8.04
Distribution: hardy
Urgency: low
Maintainer: Ubuntu/sparc Build Daemon <buildd@sejong.buildd>
Changed-By: Jamie Strandboge <jamie@ubuntu.com>
Description: 
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 8.3
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql - object-relational SQL database (latest version)
 postgresql-8.3 - object-relational SQL database, version 8.3 server
 postgresql-client - front-end programs for PostgreSQL (latest version)
 postgresql-client-8.3 - front-end programs for PostgreSQL 8.3
 postgresql-contrib - additional facilities for PostgreSQL (latest version)
 postgresql-contrib-8.3 - additional facilities for PostgreSQL
 postgresql-doc - documentation for the PostgreSQL database management system
 postgresql-doc-8.3 - documentation for the PostgreSQL database management system
 postgresql-plperl-8.3 - PL/Perl procedural language for PostgreSQL 8.3
 postgresql-plpython-8.3 - PL/Python procedural language for PostgreSQL 8.3
 postgresql-pltcl-8.3 - PL/Tcl procedural language for PostgreSQL 8.3
 postgresql-server-dev-8.3 - development files for PostgreSQL 8.3 server-side programming
Changes: 
 postgresql-8.3 (8.3.20-0ubuntu8.04) hardy-security; urgency=low
 .
   * New upstream bug fix/security release:
    - Prevent access to external files/URLs via XML entity references
      (Noah Misch, Tom Lane)
      xml_parse() would attempt to fetch external files or URLs as needed
      to resolve DTD and entity references in an XML value, thus allowing
      unprivileged database users to attempt to fetch data with the
      privileges of the database server. While the external data wouldn't
      get returned directly to the user, portions of it could be exposed
      in error messages if the data didn't parse as valid XML; and in any
      case the mere ability to check existence of a file might be useful
      to an attacker. (CVE-2012-3489)
    - Prevent access to external files/URLs via "contrib/xml2"'s
      xslt_process() (Peter Eisentraut)
      libxslt offers the ability to read and write both files and URLs
      through stylesheet commands, thus allowing unprivileged database
      users to both read and write data with the privileges of the
      database server. Disable that through proper use of libxslt's
      security options. (CVE-2012-3488)
      Also, remove xslt_process()'s ability to fetch documents and
      stylesheets from external files/URLs. While this was a documented
      "feature", it was long regarded as a bad idea. The fix for
      CVE-2012-3489 broke that capability, and rather than expend effort
      on trying to fix it, we're just going to summarily remove it.
    - Prevent too-early recycling of btree index pages (Noah Misch)
      When we allowed read-only transactions to skip assigning XIDs, we
      introduced the possibility that a deleted btree page could be
      recycled while a read-only transaction was still in flight to it.
      This would result in incorrect index search results. The
      probability of such an error occurring in the field seems very low
      because of the timing requirements, but nonetheless it should be
      fixed.
    - Fix crash-safety bug with newly-created-or-reset sequences (Tom
      Lane)
      If "ALTER SEQUENCE" was executed on a freshly created or reset
      sequence, and then precisely one nextval() call was made on it, and
      then the server crashed, WAL replay would restore the sequence to a
      state in which it appeared that no nextval() had been done, thus
      allowing the first sequence value to be returned again by the next
      nextval() call. In particular this could manifest for serial
      columns, since creation of a serial column's sequence includes an
      "ALTER SEQUENCE OWNED BY" step.
    - Ensure the "backup_label" file is fsync'd after pg_start_backup()
      (Dave Kerr)
    - Back-patch 9.1 improvement to compress the fsync request queue
      (Robert Haas)
      This improves performance during checkpoints. The 9.1 change has
      now seen enough field testing to seem safe to back-patch.
    - Only allow autovacuum to be auto-canceled by a directly blocked
      process (Tom Lane)
      The original coding could allow inconsistent behavior in some
      cases; in particular, an autovacuum could get canceled after less
      than deadlock_timeout grace period.
    - Improve logging of autovacuum cancels (Robert Haas)
    - Fix log collector so that log_truncate_on_rotation works during the
      very first log rotation after server start (Tom Lane)
    - Ensure that a whole-row reference to a subquery doesn't include any
      extra GROUP BY or ORDER BY columns (Tom Lane)
    - Disallow copying whole-row references in CHECK constraints and
      index definitions during "CREATE TABLE" (Tom Lane)
      This situation can arise in "CREATE TABLE" with LIKE or INHERITS.
      The copied whole-row variable was incorrectly labeled with the row
      type of the original table not the new one. Rejecting the case
      seems reasonable for LIKE, since the row types might well diverge
      later. For INHERITS we should ideally allow it, with an implicit
      coercion to the parent table's row type; but that will require more
      work than seems safe to back-patch.
    - Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki
      Linnakangas, Tom Lane)
    - Fix extraction of common prefixes from regular expressions (Tom
      Lane)
      The code could get confused by quantified parenthesized
      subexpressions, such as ^(foo)?bar. This would lead to incorrect
      index optimization of searches for such patterns.
    - Report errors properly in "contrib/xml2"'s xslt_process() (Tom
      Lane)
    - Update time zone data files to tzdata release 2012e for DST law
      changes in Morocco and Tokelau
Files: 
 cd94cd6ee6b9ebfa01b890f3dc3ed534 2696120 raw-translations - postgresql-8.3_8.3.20-0ubuntu8.04_sparc_translations.tar.gz
 637ad223df9e68679f7946fff0323dbe 180504 libdevel optional libpq-dev_8.3.20-0ubuntu8.04_sparc.deb
 8170e2a288ef053bcd374c1950a0554d 358794 libs optional libpq5_8.3.20-0ubuntu8.04_sparc.deb
 c430877cf324d52fd6206cfca94963be 29666 libs optional libecpg6_8.3.20-0ubuntu8.04_sparc.deb
 818f538310b3b00530b4c5217cfa4763 204222 libdevel optional libecpg-dev_8.3.20-0ubuntu8.04_sparc.deb
 f8ce532bf914c21f9234ec86609cd623 9842 libs optional libecpg-compat3_8.3.20-0ubuntu8.04_sparc.deb
 ace5c4c40a4119afb81127d58b2d8ffa 327082 libs optional libpgtypes3_8.3.20-0ubuntu8.04_sparc.deb
 1cab69ec297f12d0ee05e806799b4bde 3864290 misc optional postgresql-8.3_8.3.20-0ubuntu8.04_sparc.deb
 65393b5b47c20c58ccd76fdc7ca5e777 704964 misc optional postgresql-client-8.3_8.3.20-0ubuntu8.04_sparc.deb
 b35a704ddb8f7678eb07c2f19b79b821 870444 libdevel optional postgresql-server-dev-8.3_8.3.20-0ubuntu8.04_sparc.deb
 9297b5ed9f200483bfebea8c5437755b 327408 misc optional postgresql-contrib-8.3_8.3.20-0ubuntu8.04_sparc.deb
 24269afc4289ca610d2344b9b47a0637 328928 misc optional postgresql-plperl-8.3_8.3.20-0ubuntu8.04_sparc.deb
 bad9d22f0c617c6ff651f7a312c6363b 319984 misc optional postgresql-plpython-8.3_8.3.20-0ubuntu8.04_sparc.deb
 c4d58df697a6deb41a0f8ac47926a02b 319462 misc optional postgresql-pltcl-8.3_8.3.20-0ubuntu8.04_sparc.deb
Original-Maintainer: Martin Pitt <mpitt@debian.org>