Lists: | pgsql-announcepgsql-general |
---|
From: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
---|---|
To: | pgsql-announce(at)postgresql(dot)org |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-10 19:51:09 |
Message-ID: | 20050510162911.G6493@ganymede.hub.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
In order to address several security issues identified over the past two
weeks, as well as one "low probability" race condition, we are releasing
new version of PostgreSQL as far back as the 7.2.x branch.
Please note that the security issues were those already reported by Tom
Lane, as well as a manual fix for them. These releases are mainly to
ensure that those installing and/or upgrading existing installations have
those fixes automatically.
For details on the fixes, please see the HISTORY file included in the
Release, but a summary consists of:
* Change encoding function signature to prevent misuse
* Change "contrib/tsearch2" to avoid unsafe use of INTERNAL function
results
* Repair race condition between relation extension and VACUUM
This could theoretically have caused loss of a page's worth of
freshly-inserted data, although the scenario seems of very low
probability. There are no known cases of it having caused more than
an Assert failure.
Downloads are available via:
http://www.postgresql.org/download
Please report any bugs to:
pgsql-bugs(at)postgresql(dot)org
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy(at)hub(dot)org Yahoo!: yscrappy ICQ: 7615664
From: | Neil Conway <neilc(at)samurai(dot)com> |
---|---|
To: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
Cc: | pgsql-announce(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org |
Subject: | Re: [GENERAL] SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-11 00:39:56 |
Message-ID: | 4281545C.7050603@samurai.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
Marc G. Fournier wrote:
> Please note that the security issues were those already reported by Tom
> Lane, as well as a manual fix for them. These releases are mainly to
> ensure that those installing and/or upgrading existing installations
> have those fixes automatically.
Note that if you're upgrading within a release series (e.g. 8.0.x to
8.0.3) without a dump and reload, you will _not_ get the necessary
system catalog changes automatically. Tom's earlier mail describes the
procedure needed to correct the system catalog:
http://www.postgresql.org/about/news.315
-Neil
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Neil Conway <neilc(at)samurai(dot)com> |
Cc: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-announce(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org |
Subject: | Re: [GENERAL] SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-11 05:07:13 |
Message-ID: | 346.1115788033@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
Neil Conway <neilc(at)samurai(dot)com> writes:
> Note that if you're upgrading within a release series (e.g. 8.0.x to
> 8.0.3) without a dump and reload, you will _not_ get the necessary
> system catalog changes automatically. Tom's earlier mail describes the
> procedure needed to correct the system catalog:
> http://www.postgresql.org/about/news.315
Also, note that that message was the zero-day-security-problem response
to the issue, and that we since figured out cleaner responses. If you
haven't yet implemented this in your own DBs, I would suggest following
the procedures given in the final release notes, eg
http://developer.postgresql.org/docs/postgres/release-7-4-8.html
I expect these notes will shortly show up in the static documentation, eg
http://www.postgresql.org/docs/7.4/static/release.html
but they aren't there yet as I set finger to keyboard.
regards, tom lane
From: | Douglas McNaught <doug(at)mcnaught(dot)org> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Neil Conway <neilc(at)samurai(dot)com>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-announce(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org |
Subject: | Re: SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-11 10:25:34 |
Message-ID: | m2hdha83fl.fsf@Douglas-McNaughts-Powerbook.local |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Neil Conway <neilc(at)samurai(dot)com> writes:
>> http://www.postgresql.org/about/news.315
>
> Also, note that that message was the zero-day-security-problem response
> to the issue, and that we since figured out cleaner responses. If you
> haven't yet implemented this in your own DBs, I would suggest following
> the procedures given in the final release notes, eg
> http://developer.postgresql.org/docs/postgres/release-7-4-8.html
If we've already done the zero-day fix, is there any value in re-doing
it the "cleaner" way?
-Doug
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Douglas McNaught <doug(at)mcnaught(dot)org> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-11 13:23:04 |
Message-ID: | 3165.1115817784@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
Douglas McNaught <doug(at)mcnaught(dot)org> writes:
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
>> Also, note that that message was the zero-day-security-problem response
>> to the issue, and that we since figured out cleaner responses. If you
>> haven't yet implemented this in your own DBs, I would suggest following
>> the procedures given in the final release notes, eg
>> http://developer.postgresql.org/docs/postgres/release-7-4-8.html
> If we've already done the zero-day fix, is there any value in re-doing
> it the "cleaner" way?
Only if you care about allowing unprivileged users to create conversions
(which seems a bit useless to me, but it's in the regression tests...)
regards, tom lane
From: | Thomas F(dot)O'Connell <tfo(at)sitening(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Marc G(dot)Fournier <scrappy(at)postgresql(dot)org>, Neil Conway <neilc(at)samurai(dot)com>, PgSQL General <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-11 13:42:31 |
Message-ID: | 53f2abfd4fe16641910472fd1480ad1c@sitening.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
I've updated my Perl script to accommodate the version of the
procedures in the final release notes:
http://www.sitening.com/postgresql-update-2005-1
-tfo
--
Thomas F. O'Connell
Co-Founder, Information Architect
Sitening, LLC
Strategic Open Source: Open Your i™
http://www.sitening.com/
110 30th Avenue North, Suite 6
Nashville, TN 37203-6320
615-260-0005
On May 11, 2005, at 12:07 AM, Tom Lane wrote:
> Neil Conway <neilc(at)samurai(dot)com> writes:
>> Note that if you're upgrading within a release series (e.g. 8.0.x to
>> 8.0.3) without a dump and reload, you will _not_ get the necessary
>> system catalog changes automatically. Tom's earlier mail describes the
>> procedure needed to correct the system catalog:
>
>> http://www.postgresql.org/about/news.315
>
> Also, note that that message was the zero-day-security-problem response
> to the issue, and that we since figured out cleaner responses. If you
> haven't yet implemented this in your own DBs, I would suggest following
> the procedures given in the final release notes, eg
> http://developer.postgresql.org/docs/postgres/release-7-4-8.html
>
> I expect these notes will shortly show up in the static documentation,
> eg
> http://www.postgresql.org/docs/7.4/static/release.html
> but they aren't there yet as I set finger to keyboard.
>
> regards, tom lane
From: | "Luc ROLLAND" <luc(at)rolland-fr(dot)com> |
---|---|
To: | "Neil Conway" <neilc(at)samurai(dot)com>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
Cc: | <pgsql-announce(at)postgresql(dot)org>, <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: [ANNOUNCE] SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3 |
Date: | 2005-05-13 08:45:18 |
Message-ID: | 004c01c55798$17889640$0a00a8c0@lrp43208 |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
Hello !
I try the update to PG 8.0.3 win32, but the archive is corrupted !?
I obtain the same thing from all the mirrors where I connect...
How can I obtain the new Win32 release ?
Luc
----- Original Message -----
From: "Neil Conway" <neilc(at)samurai(dot)com>
To: "Marc G. Fournier" <scrappy(at)postgresql(dot)org>
Cc: <pgsql-announce(at)postgresql(dot)org>; <pgsql-general(at)postgresql(dot)org>
Sent: Wednesday, May 11, 2005 2:39 AM
Subject: Re: [ANNOUNCE] [GENERAL] SECURITY RELEASES: 7.2.8 - 7.3.10 -
7.4.8 - 8.0.3
> Marc G. Fournier wrote:
>> Please note that the security issues were those already reported by Tom
>> Lane, as well as a manual fix for them. These releases are mainly to
>> ensure that those installing and/or upgrading existing installations have
>> those fixes automatically.
>
> Note that if you're upgrading within a release series (e.g. 8.0.x to
> 8.0.3) without a dump and reload, you will _not_ get the necessary system
> catalog changes automatically. Tom's earlier mail describes the procedure
> needed to correct the system catalog:
>
> http://www.postgresql.org/about/news.315
>
> -Neil
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>
From: | Aly Dharshi <aly(dot)dharshi(at)telus(dot)net> |
---|---|
To: | Luc ROLLAND <luc(at)rolland-fr(dot)com> |
Cc: | Neil Conway <neilc(at)samurai(dot)com>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-announce(at)postgresql(dot)org, pgsql-general(at)postgresql(dot)org |
Subject: | Re: [ANNOUNCE] SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 |
Date: | 2005-05-13 16:49:00 |
Message-ID: | 4284DA7C.7040603@telus.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-announce pgsql-general |
Yes I had that same experience last evening, I was going to write about that
today. But I second your thoughts !
Luc ROLLAND wrote:
> Hello !
>
> I try the update to PG 8.0.3 win32, but the archive is corrupted !?
> I obtain the same thing from all the mirrors where I connect...
>
> How can I obtain the new Win32 release ?
>
> Luc
>
> ----- Original Message ----- From: "Neil Conway" <neilc(at)samurai(dot)com>
> To: "Marc G. Fournier" <scrappy(at)postgresql(dot)org>
> Cc: <pgsql-announce(at)postgresql(dot)org>; <pgsql-general(at)postgresql(dot)org>
> Sent: Wednesday, May 11, 2005 2:39 AM
> Subject: Re: [ANNOUNCE] [GENERAL] SECURITY RELEASES: 7.2.8 - 7.3.10 -
> 7.4.8 - 8.0.3
>
>
>> Marc G. Fournier wrote:
>>
>>> Please note that the security issues were those already reported by
>>> Tom Lane, as well as a manual fix for them. These releases are
>>> mainly to ensure that those installing and/or upgrading existing
>>> installations have those fixes automatically.
>>
>>
>> Note that if you're upgrading within a release series (e.g. 8.0.x to
>> 8.0.3) without a dump and reload, you will _not_ get the necessary
>> system catalog changes automatically. Tom's earlier mail describes the
>> procedure needed to correct the system catalog:
>>
>> http://www.postgresql.org/about/news.315
>>
>> -Neil
>>
>> ---------------------------(end of broadcast)---------------------------
>> TIP 6: Have you searched our list archives?
>>
>> http://archives.postgresql.org
>>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
--
Aly Dharshi
aly(dot)dharshi(at)telus(dot)net
"A good speech is like a good dress
that's short enough to be interesting
and long enough to cover the subject"