Release date: 2008-01-07
This release contains a variety of fixes from 8.0.14, including fixes for significant security issues. For information about new features in the 8.0 major release, see Section E.280.
This is the last 8.0.X release for which the PostgreSQL community will produce binary packages for Windows. Windows users are encouraged to move to 8.2.X or later, since there are Windows-specific fixes in 8.2.X that are impractical to back-port. 8.0.X will continue to be supported on other platforms.
A dump/restore is not required for those running 8.0.X. However, if you are upgrading from a version earlier than 8.0.6, see Section E.274.
Prevent functions in indexes from executing with the
privileges of the user running
ANALYZE, etc (Tom)
Functions used in index expressions and partial-index
predicates are evaluated whenever a new table entry is
made. It has long been understood that this poses a risk
of trojan-horse code execution if one modifies a table
owned by an untrustworthy user. (Note that triggers,
defaults, check constraints, etc. pose the same type of
risk.) But functions in indexes pose extra danger because
they will be executed by routine maintenance operations
VACUUM FULL, which
are commonly performed automatically under a superuser
account. For example, a nefarious user can execute code
with superuser privileges by setting up a trojan-horse
index definition and waiting for the next routine vacuum.
The fix arranges for standard maintenance operations
CLUSTER) to execute as the table owner
rather than the calling user, using the same
privilege-switching mechanism already used for
SECURITY DEFINER functions.
To prevent bypassing this security measure, execution of
SET SESSION AUTHORIZATION
SET ROLE is now
forbidden within a
DEFINER context. (CVE-2007-6600)
Repair assorted bugs in the regular-expression package (Tom, Will Drewry)
Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)
Require non-superusers who use
/contrib/dblink to use only password
authentication, as a security measure (Joe)
The fix that appeared for this in 8.0.14 was
incomplete, as it plugged the hole for only some
Update time zone data files to tzdata release 2007k (in particular, recent Argentina changes) (Tom)
Fix planner failure in some cases of
WHERE false AND var IN (SELECT ...)
Preserve the tablespace of indexes that are rebuilt by
ALTER TABLE ... ALTER COLUMN
Make archive recovery always start a new WAL timeline, rather than only when a recovery stop time was used (Simon)
This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner than the original definition.
VACUUM not use all
the table is too small for it to be useful (Alvaro)
Fix potential crash in
translate() when using a multibyte
database encoding (Tom)
Fix PL/Perl to cope when platform's Perl defines type
int rather than
While this could theoretically happen anywhere, no standard build of Perl did things this way ... until macOS 10.5.
Fix PL/Python to not crash on long exception messages (Alvaro)
Fix pg_dump to correctly handle inheritance child tables that have default expressions different from their parent's (Tom)
ecpg parser fixes (Michael)
crosstab() handle NULL
rowid as a category in its own right, rather than
tsquery output routines to
escape backslashes correctly (Teodor, Bruce)
Fix crash of
to_tsvector() on huge input strings
Require a specific version of Autoconf to be used when
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.