Release date: 2006-05-23
This release contains a variety of fixes from 8.1.3, including patches for extremely serious security issues. For information about new features in the 8.1 major release, see Section E.253.
A dump/restore is not required for those running 8.1.X. However, if you are upgrading from a version earlier than 8.1.2, see Section E.251.
Full security against the SQL-injection attacks described in
CVE-2006-2313 and CVE-2006-2314 might require changes in
application code. If you have applications that embed
untrustworthy strings into SQL commands, you should examine
them as soon as possible to ensure that they are using
recommended escaping techniques. In most cases, applications
should be using subroutines provided by libraries or drivers
(such as libpq's
PQescapeStringConn()) to perform string
escaping, rather than relying on ad hoc
code to do it.
Change the server to reject invalidly-encoded multibyte characters in all cases (Tatsuo, Tom)
While PostgreSQL has been moving in this direction for some time, the checks are now applied uniformly to all encodings and all textual input, and are now always errors not merely warnings. This change defends against SQL-injection attacks of the type described in CVE-2006-2313.
Reject unsafe uses of
in string literals
As a server-side defense against SQL-injection attacks
of the type described in CVE-2006-2314, the server now
'' and not
\' as a representation of
ASCII single quote in SQL string literals. By default,
\' is rejected only when
client_encoding is set to a
client-only encoding (SJIS, BIG5, GBK, GB18030, or UHC),
which is the scenario in which SQL injection is possible.
A new configuration parameter
backslash_quote is available to adjust
this behavior when needed. Note that full security
against CVE-2006-2314 might require client-side changes;
the purpose of
backslash_quote is in part to make it
obvious that insecure clients are insecure.
string-escaping routines to be aware of encoding
This fixes libpq-using applications for the
security issues described in CVE-2006-2313 and
CVE-2006-2314, and also future-proofs them against the
planned changeover to SQL-standard string literal syntax.
Applications that use multiple PostgreSQL connections concurrently
should migrate to
PQescapeByteaConn() to ensure that
escaping is done correctly for the settings in use in
each database connection. Applications that do string
hand” should be modified to rely on library
Fix weak key selection in pgcrypto (Marko Kreen)
Errors in fortuna PRNG reseeding logic could cause a
predictable session key to be selected by
pgp_sym_encrypt() in some cases. This
only affects non-OpenSSL-using builds.
Fix some incorrect encoding conversion functions
mic_to_euc_tw were all broken to
Clean up stray remaining uses of
\' in strings (Bruce, Jan)
Make autovacuum visible in
In certain cases, having
full_page_writes off would cause crash
recovery to fail. A proper fix will appear in 8.2; for
now it's just disabled.
Various planner fixes, particularly for bitmap index scans and MIN/MAX optimization (Tom)
Fix incorrect optimization in merge join (Tom)
Outer joins could sometimes emit multiple copies of unmatched rows.
Fix crash from using and modifying a plpgsql function in the same transaction
Fix WAL replay for case where a B-Tree index has been truncated
SIMILAR TO for
SELECT INTO and
CREATE TABLE AS to create
tables in the default tablespace, not the base directory
Fix server to use custom DH SSL parameters correctly (Michael Fuhr)
Improve qsort performance (Dann Corbit)
Currently this code is only used on Solaris.
Fix for OS/X Bonjour on x86 systems (Ashley Clark)
Fix various minor memory leaks
Fix problem with password prompting on some Win32 systems (Robert Kinberg)
Improve pg_dump's handling of default values for domains
Fix pg_dumpall to handle identically-named users and groups reasonably (only possible when dumping from a pre-8.1 server) (Tom)
The user and group will be merged into a single role
Formerly the merged role wouldn't have
LOGIN permission, making it unusable as
-n to work as documented
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.