== PostgreSQL Weekly News - May 23 2010 ==

== PostgreSQL Weekly News - May 23 2010 ==

CHAR(10), the PostgreSQL Conference on Clustering, High Availability
and Replication is now open for online registration and bookings.
July 2-3 2010, Oriel College, Oxford University, UK
http://www.char10.org/

== PostgreSQL Product News ==

Cybercluster 2.0 released.
http://www.cybertec.at/en/cybercluster-2-0-synchronous-postgresql-replication

Muldi-D 0.129.1, a specification for an object-relational language
intended to run atop, among other systems, PostgreSQL, released.
http://archives.postgresql.org/pgsql-announce/2010-05/msg00020.php

MyJSQLView 3.17, a GUI tool that can be used with PostgreSQL, released.
http://dandymadeproductions.com/projects/MyJSQLView/index.html

PostgreDAC 2.5.5, a Delphi/C++ builder for PostgreSQL, released.
http://microolap.com/products/connectivity/postgresdac/download/

psycopg2 2.2.1, a Python connector for PostgreSQL, released.
http://initd.org/psycopg/

Devrim GUNDUZ has posted RPMs for the 8.4.4, 8.3.11, 8.2.17, 8.1.21,
8.0.25, and 7.4.29 security updates.
http://yum.pgrpms.org

2ndQuadrant France is now open for business.
http://www.2ndQuadrant.fr/

Security updates 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29 are
out. Update ASAP!
http://www.postgresql.org/docs/current/static/release.html

Checksums for the tar files are at:
http://www.gtsm.com/postgres_sigs.html

Postgres-XC 0.9.1 released.
http://postgres-xc.sourceforge.net/

== PostgreSQL 9.0 Feature of the Week ==

Large objects (lo_*) now have access controls just like other database
objects.

== PostgreSQL Jobs for May ==

http://archives.postgresql.org/pgsql-jobs/2010-05/threads.php

== PostgreSQL Local ==

Registration for Open Source Bridge is open and talks are announced!
June 1-4, 2010 in Portland, Oregon.
http://opensourcebridge.org/events/2010/proposals/

Michael Renner will be speaking at AMOOCON, which goes from June 4-6, 2010.
http://www.amoocon.de/speakers/214

SouthEast LinuxFest 2010 will take place in Spartanburg, SC USA on
June 11-13.  PostgreSQL gurus Joshua Drake and Andrew Dunstan will be
giving some must-see PostgreSQL-related presentations.
http://southeastlinuxfest.org/

Michael Renner will be speaking at Netways OSDC in Nuremberg, Germany,
which will be June 23-24, 2010.
http://www.netways.de/osdc/y2010/programm/

PDXPUG Day will be July 18, 2010 at the Oregon Convention Center in
Portland, OR. For more information, see:
http://wiki.postgresql.org/wiki/PDXPUGDay2010

OSCON will take place in Portland, Oregon July 19-23, 2010.
http://www.oscon.com/oscon2010

== PostgreSQL in the News ==

Planet PostgreSQL: http://planet.postgresql.org/

PostgreSQL Weekly News is brought to you this week by David Fetter
and Devrim GUNDUZ.

Submit news and announcements by Sunday at 3:00pm Pacific time.
Please send English language ones to david(at)fetter(dot)org, German language
to pwn(at)pgug(dot)de, Italian language to pwn(at)itpug(dot)org(dot) Spanish language
to pwn(at)arpug(dot)com(dot)ar(dot)

== Applied Patches ==

Andrew Dunstan committed:

- Abandon the use of Perl's Safe.pm to enforce restrictions in plperl,
as it is fundamentally insecure. Instead apply an opmask to the
whole interpreter that imposes restrictions on unsafe operations.
These restrictions are much harder to subvert than is Safe.pm, since
there is no container to be broken out of. Backported to release
7.4. In releases 7.4, 8.0 and 8.1 this also includes the necessary
backporting of the two interpreters model for plperl and plperlu
adopted in release 8.2. In versions 8.0 and up, the use of Perl's
POSIX module to undo its locale mangling on Windows has become
insecure with these changes, so it is replaced by our own routine,
which is also faster. Nice side effects of the changes include that
it is now possible to use perl's "strict" pragma in a natural way in
plperl, and that perl's $a and $b variables now work as expected in
sort routines, and that function compilation is significantly
faster. Tim Bunce and Andrew Dunstan, with reviews from Alex
Hunsaker and Alexey Klyukin. Security: CVE-2010-1169

- In pgsql/src/tools/msvc/Mkvcbuild.pm, fix MSVC builds for recent
plperl changes. Go back to version 8.2, which is where we started
supporting MSVC builds. Security: CVE-2010-1169.

- In pgsql/src/pl/plperl/plperl.c, follow up a visit from the style
police.

- In pgsql/src/pl/plperl/expected/plperl_init.out, fix regression
tests to match error message change.

Tom Lane committed:

- Prevent PL/Tcl from loading the "unknown" module from pltcl_modules
unless that is a regular table or view owned by a superuser. This
prevents a trojan horse attack whereby any unprivileged SQL user
could create such a table and insert code into it that would then
get executed in other users' sessions whenever they call pltcl
functions. Worse yet, because the code was automatically loaded
into both the "normal" and "safe" interpreters at first use, the
attacker could execute unrestricted Tcl code in the "normal"
interpreter without there being any pltclu functions anywhere, or
indeed anyone else using pltcl at all: installing pltcl is
sufficient to open the hole. Change the initialization logic so
that the "unknown" code is only loaded into an interpreter when the
interpreter is first really used. (That doesn't add any additional
security in this particular context, but it seems a prudent change,
and anyway the former behavior violated the principle of least
astonishment.) Security: CVE-2010-1170

- Update release notes with security issues. Security: CVE-2010-1169,
CVE-2010-1170

- In pgsql/doc/src/sgml/config.sgml, fix index entry for
lo_compat_privileges, per bug #5467 from KOIZUMI Satoru.

- Fix oversight in join removal patch: we have to delete the removed
relation from SpecialJoinInfo relid sets as well. Per example from
Vaclav Novotny.

- In pgsql/contrib/pg_upgrade/check.c, issue_warnings() has no
business freeing its parameter, especially not when its sole caller
does that too. Jan Matousek, via Pavel Stehule

Alvaro Herrera committed:

- In pgsql/doc/src/sgml/ref/show.sgml, make table in example less
wide.

Robert Haas committed:

- In pgsql/doc/src/sgml/ref/notify.sgml, move pg_notify() details to a
subsection within the NOTIFY reference page. This allows the index
to reference the pg_notify() subsection specifically, rather than
Notes section of the NOTIFY reference page more generally. Fujii
Masao

- In pgsql/src/bin/psql/command.c, unbreak \h; can't do strlen(NULL).
This was broken by the following commmit. Although the original
commit was backpatched all the way to 7.4, this particular bug
exists only in the version applied to HEAD.
http://archives.postgresql.org/pgsql-committers/2010-05/msg00058.php

Bruce Momjian committed:

- In pgsql/contrib/pg_upgrade/TESTING, add pg_upgrade TESTING files
explaining a testing method.

- In pgsql/contrib/pg_upgrade/pg_upgrade.c, use a 'datallowconn' check
for avoiding 'template0', rather than hardcoding a 'template0'
check, per suggestion from Alvaro. This might fix a problem where
someone has allowed 'template0' connections, but it is a cleaner
approach even if doesn't fix the bug.

- In pgsql/contrib/pg_upgrade/pg_upgrade.c, for pg_upgrade, update
template0's datfrozenxid and its relfrozenxids to match the behavior
of autovacuum, which does this as the xid advances even if
autovacuum is turned off.

- In pgsql/contrib/pg_upgrade/info.c, simplify pg_upgrade queries by
using IN instead of multiple OR clauses comparing the same column to
multiple values.

- Add command-line documentation for pg_upgrade.

- In pgsql/doc/src/sgml/oid2name.sgml, restore oid2name doc change.

- In pgsql/doc/src/sgml/pgupgrade.sgml, pg_upgrade doc cleanup.
Stefan Kaltenbrunner

- In pgsql/doc/src/sgml/pgupgrade.sgml, doc change: Rename of
directory no longer required for pg_migrator 9.0. Alvaro Herrera

- In pgsql/doc/src/sgml/pgupgrade.sgml, SGML markup cleanup for
pg_upgrade.

- In pgsql/doc/src/sgml/oid2name.sgml, show oid2name command-line
arguments in documentation like we do for non-contrib command-line
tools (no longer in a single table display).

Magnus Hagander committed:

- In pgsql/doc/src/sgml/pgupgrade.sgml, make pg_upgrade documentation
refer to 9.0 instead of 8.4. Fujii Masao.

- In pgsql/doc/src/sgml/config.sgml, refer to pg_ident.conf as config
file for username mapping, as it's now used for other things than
just ident authentication. Noted by Stephen Frost

- In pgsql/src/timezone/pgtz.c, change the "N. Central Asia Standard
Time" timezone to map to Asia/Novosibirsk on Windows. Microsoft
changed the behaviour of this zone in the timezone update from
KB976098. The zones differ in handling of DST, and the old zone was
just removed. Noted by Dmitry Funk.

Michael Meskes committed:

- Ecpg now accepts "long long" datatypes even if "long" is 64bit wide.
This used to cover the equally long "long long" type. This patch
closes bug #5464.

== Rejected Patches (for now) ==

No one was disappointed this week :-)

== Pending Patches ==

Stephen Frost sent in two more revisions of a patch to fix psql's
ability to clean up when quitting the pager, which resulted in queries
continuing to run after the pager exited.

Fujii Masao sent in two revisions of a patch to fix smart shutdown for
Hot Standby.

Fujii Masao sent in a patch to distinguish normal shutdown from
unexpected exit, while the server is in recovery.

Tom Lane sent in a patch to fix a performance issue with
textanycat/anytextcat.

Alvaro Herrera sent in a patch to fix an issue with fillfactor on
TOAST tables.

Florian Pflug sent in two revisions of a patch to fix SERIALIZABLE
transactions.

Kevin Grittner sent in a WIP patch for 9.1 to do true SERIALIZABLE
using predicate locking.

Joel Jacobson sent in another revision of the patch to implement
pg_stat_transaction.

Robert Haas sent in a patch to add a hook called ExecutorCheckPerms(),
per discussion.

Andres Freund sent in a patch which replaces the current CRC32 with a
more efficient version from zlib.

Jeff Davis sent in a patch to change a sanity check in exclusion
constraints.

Jeff Davis sent in a patch for 9.1 to add btree_gist support for the
"<>" operator.