Security Update 2012-06-04 released

The PostgreSQL Global Development Group today released security
updates for all active branches of the PostgreSQL database system,
including versions 9.1.4, 9.0.8, 8.4.12 and 8.3.19.

Users of the crypt(text, text) function with DES encryption in the
optional pgcrypto module should upgrade their installations
immediately. All other database administrators are urged to upgrade
your version of PostgreSQL at the next scheduled downtime. More
details on the security fixes are included below.

This release contains 42 fixes to version 9.1, and a smaller number of
fixes to older versions, including:

* Fix citext upgrade script for collations of citext arrays and
domains over citext
* Fixes for timezone handling
* Fix text or char to name casts to perform string truncation
correctly in multibyte encodings
* Fix memory copying bug in to_tsquery()
* Ensure txid_current() reports the correct epoch when executed in hot standby
* Fix planner’s handling of sub-SELECTS referencing variables coming
from the nullable side of an outer join of the surrounding query
* Fix planning of UNION ALL subqueries with output columns that are
not simple variables
* Fix slow session startup when pg_attribute is very large
* Ensure sequential scans check for query cancel reasonably often
* Show whole-row variables safely when printing views or rules
* Fix COPY FROM to properly handle null marker strings that correspond
to invalid encoding
* Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses
* Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks
* Fix bugs with temporary or transient tables used in extension scripts
* Ensure autovacuum worker processes perform stack depth checking properly
* Fix logging collector to not lose log coherency under high load
* Fix logging collector to ensure it will restart file rotation after
receiving SIGHUP
* Fix WAL replay logic for GIN indexes to not fail if the index was
subsequently dropped
* Avoid synchronous replication delay when committing a transaction
that only modified temporary tables

As with other minor releases, users are not required to dump and
reload their database or use pg_upgrade in order to apply this update
release; you may simply shut down PostgreSQL and update its binaries.
Perform post-update steps after the database is restarted. If you use
the citext data type, and you upgraded from a previous major release
by running pg_upgrade, please see the release notes for 9.1.4 for
important post-upgrade steps.

This update includes two security fixes for the following issues:

* CVE-2012-2143: Fix incorrect password transformation in
contrib/pgcrypto’s DES crypt() function
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143

This vulnerability affects PostgreSQL users who use the crypt(text,
text) function (in the optional pgcrypto module) with DES encryption
and non-ASCII passwords.  Passwords affected are those that contain
the byte value 0x80.  Characters after such a byte were ignored,
making the effective password shorter and easier to crack than it
should be.  After the upgrade, any passwords containing such bytes
will need to be regenerated.

* CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a
procedural language’s call handler
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2655

Applying such attributes to a call handler could crash the server.

All supported versions of PostgreSQL are affected. See the release
notes for each version for a full list of changes with details of the
fixes and steps.

Download new versions now at the main download page:
http://www.postgresql.org/download/