Users of the
crypt(text, text) function with DES encryption in the optional
pgcrypto module should upgrade their installations immediately. All other database administrators are urged to upgrade your version of PostgreSQL at the next scheduled downtime. More details on the security fixes are included below.
This release contains 42 fixes to version 9.1, and a smaller number of fixes to older versions, including:
citextupgrade script for collations of
citextarrays and domains over
namecasts to perform string truncation correctly in multibyte encodings
txid_current()reports the correct epoch when executed in hot standby
SELECTSreferencing variables coming from the nullable side of an outer join of the surrounding query
UNION ALLsubqueries with output columns that are not simple variables
pg_attributeis very large
COPY FROMto properly handle null marker strings that correspond to invalid encoding
EXPLAIN VERBOSEfor writable CTEs containing
PREPARE TRANSACTIONto work correctly in the presence of advisory locks
As with other minor releases, users are not required to dump and reload their database or use
pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries. Perform post-update steps after the database is restarted. If you use the
citext data type, and you upgraded from a previous major release by running
pg_upgrade, please see the release notes for 9.1.4 for important post-upgrade steps.
This update includes two security fixes for the following issues:
This vulnerability affects PostgreSQL users who use the
crypt(text, text) function (in the optional pgcrypto module) with DES encryption and non-ASCII passwords. Passwords affected are those that contain the byte value
0x80. Characters after such a byte were ignored, making the effective password shorter and easier to crack than it should be. After the upgrade, any passwords containing such bytes will need to be regenerated.
SETattributes for a procedural language’s call handler
Applying such attributes to a call handler could crash the server.
All supported versions of PostgreSQL are affected. See the release notes for each version for a full list of changes with details of the fixes and steps.
Download new versions now at the main download page.