Thread: SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3
In order to address several security issues identified over the past two weeks, as well as one "low probability" race condition, we are releasing new version of PostgreSQL as far back as the 7.2.x branch. Please note that the security issues were those already reported by Tom Lane, as well as a manual fix for them. These releases are mainly to ensure that those installing and/or upgrading existing installations have those fixes automatically. For details on the fixes, please see the HISTORY file included in the Release, but a summary consists of: * Change encoding function signature to prevent misuse * Change "contrib/tsearch2" to avoid unsafe use of INTERNAL function results * Repair race condition between relation extension and VACUUM This could theoretically have caused loss of a page's worth of freshly-inserted data, although the scenario seems of very low probability. There are no known cases of it having caused more than an Assert failure. Downloads are available via: http://www.postgresql.org/download Please report any bugs to: pgsql-bugs@postgresql.org ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Neil Conway <neilc@samurai.com> writes: > Note that if you're upgrading within a release series (e.g. 8.0.x to > 8.0.3) without a dump and reload, you will _not_ get the necessary > system catalog changes automatically. Tom's earlier mail describes the > procedure needed to correct the system catalog: > http://www.postgresql.org/about/news.315 Also, note that that message was the zero-day-security-problem response to the issue, and that we since figured out cleaner responses. If you haven't yet implemented this in your own DBs, I would suggest following the procedures given in the final release notes, eg http://developer.postgresql.org/docs/postgres/release-7-4-8.html I expect these notes will shortly show up in the static documentation, eg http://www.postgresql.org/docs/7.4/static/release.html but they aren't there yet as I set finger to keyboard. regards, tom lane
Marc G. Fournier wrote: > Please note that the security issues were those already reported by Tom > Lane, as well as a manual fix for them. These releases are mainly to > ensure that those installing and/or upgrading existing installations > have those fixes automatically. Note that if you're upgrading within a release series (e.g. 8.0.x to 8.0.3) without a dump and reload, you will _not_ get the necessary system catalog changes automatically. Tom's earlier mail describes the procedure needed to correct the system catalog: http://www.postgresql.org/about/news.315 -Neil