Security updates 9.0.3, 8.4.7, 8.3.14 and 8.2.20 released

The PostgreSQL Global Development Group today released security
updates for all active branches of the PostgreSQL object-relational
database system, including versions 9.0.3, 8.4.7, 8.3.14 and 8.2.20.

This update includes a security fix which prevents a buffer overrun in
the contrib module intarray's input function for the query_int type.
This bug is a security risk since the function's return address could
be overwritten by malicious code.

All supported versions of PostgreSQL are impacted. However, the
affected contrib module is optional. Only users who have installed the
intarray module in their database are affected. See the CVE Advisory
at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4015

This release includes 63 bugfixes, including:

- Avoid unexpected conversion overflow in planner for distant date values
- Fix assignment to an array slice that is before the existing range
of subscripts
- Fix pg_restore to do the right thing when escaping large objects
- Avoid failures when EXPLAIN tries to display a simple-form CASE expression
- Improved build support for Windows version
- Fix bug in contrib/seg's GiST picksplit algorithm which caused
performance degredation

The 9.0.3 update also contains several fixes for issues with features
introduced or changed in version 9.0:

- Ensure all the received WAL is fsync'd to disk before exiting walreceiver
- Improve performance of walreceiver by avoiding excess fsync activity
- Make ALTER TABLE revalidate uniqueness and exclusion constraints when needed
- Fix EvalPlanQual for UPDATE of an inheritance tree when the tables
are not all alike

Overall, these releases include 33 patches to 9.0, 20 patches to 8.4,
20 patches to 8.3, and 18 patches to 8.2.

See the release notes for each version at
http://www.postgresql.org/docs/current/static/release.html for a full
list of changes with details.

As with other minor releases, users are not required to dump and
reload their database in order to apply this update release; you may
simply shut down PostgreSQL and update its binaries. Users skipping
more than one update may need to check the release notes for extra,
post-update steps.

Download new versions now:

- Main download page: http://www.postgresql.org/download/
- Source code: http://www.postgresql.org/ftp/source/
- Binary packages: http://www.postgresql.org/ftp/binary/
- One-click installer, including Windows packages:
http://www.enterprisedb.com/products-services-training/pgdownload

--
Dave Page
PostgreSQL Core Team
http://www.postgresql.org/