PostgreSQL 2010-05-17 Security Update Releases

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-announce(at)postgresql(dot)org
Subject: PostgreSQL 2010-05-17 Security Update Releases
Date: 2010-05-17 16:35:44
Message-ID: 20430.1274114144@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-announce

The PostgreSQL Project today released minor versions updating all active
branches of the PostgreSQL object-relational database system, including
versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This release
fixes moderate-risk security issues with PL/perl and PL/tcl, as well as
a data corruption issue with standby databases. Users of any of these
three features should update their PostgreSQL installations immediately.

The PL/perl security fix closes a security hole in PL/perl
procedures which could allow privilege escalation on the host system,
caused by a flaw in Safe.pm; see CVE-2010-1169 and CVE-2010-1447 for
details. A second patch prevents PL/tcl's pltcl_modules table from
being subverted in order to run arbitrary Tcl scripts; see
CVE-2010-1170. These issues only affect users who have enabled either
of these two stored procedure languages.

Also corrected is use of the command ALTER TABLE SET TABLESPACE, which
previously could cause data corruption on Warm Standby database slaves.
This issue affects only version 8.4.

The issues patched in this update release affect version 9.0 Beta 1 as
well, and will be corrected in an upcoming 9.0 Beta 2 release.

There are also 21 other bug fixes in this release, some of which apply
only to version 8.4, and a few of which are specifically for Windows.
While these are generally fixes for minor issues, among the changes are:

* Fix for a combinational crash condition
* Prevent normal users from resetting some GUCs in
their own role definitions
* Correctly apply constraint exclusion in UPDATE and DELETE queries
* Minor fixes for WAL archiving
* Update timezone data for 12 zones

See the release notes for a full list of changes with details.

As with other minor releases, users are not required to dump and reload
their database in order to apply this update release; you may simply
shut down PostgreSQL and update its binaries. Users skipping more than
one update may need to check the release notes for extra, post-update steps.

* Release Notes
http://www.postgresql.org/docs/current/static/release.html
* Installation Packages
http://www.postgresql.org/ftp/binary/
* Source Code
http://www.postgresql.org/ftp/source/
* Windows and One-click Installer
http://www.enterprisedb.com/products/pgdownload.do
* Details of Security Issues
http://www.postgresql.org/support/security

The PostgreSQL Global Development Group will stop releasing updates for
PostgreSQL versions 7.4 and 8.0 after June of 2010. We urge users of
those versions to start planning to upgrade now.

regards, tom lane

Browse pgsql-announce by date

  From Date Subject
Next Message Marc G. Fournier 2010-05-17 16:53:30 PostgreSQL Security Update for v7.4 thru v8.4
Previous Message David Fetter 2010-05-17 04:47:15 == PostgreSQL Weekly News - May 16 2010 ==