PostgreSQL Security Update for v7.4 thru v8.4

2010-05-17 Security Update

The PostgreSQL Project today released minor versions updating all active
branches of the PostgreSQL object-relational database system, including
versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This release
fixes moderate-risk security issues with PL/perl and PL/tcl, as well as a
data corruption issue with standby databases. Users of any of these three
features should update their PostgreSQL installations immediately.

The PL/perl security fix closes a security hole in PL/perl procedures
which could allow privilege escalation on the host system, caused by a
flaw in Safe.pm; see CVE-2010-1169 and CVE-2010-1447 for details. A
second patch prevents PL/tcl's pltcl_modules table from being subverted in
order to run arbitrary Tcl scripts; see CVE-2010-1170. These issues only
affect users who have enabled either of these two stored procedure
languages.

Also corrected is use of the command ALTER TABLE SET TABLESPACE, which
previously could cause data corruption on Warm Standby database slaves.
This issue affects only version 8.4.

The issues patched in this update release affect version 9.0 Beta 1 as
well, and will be corrected in an upcoming 9.0 Beta 2 release.

There are also 21 other bug fixes in this release, some of which apply
only to version 8.4, and a few of which are specifically for Windows.
While these are generally fixes for minor issues, among the changes are:

* Fix for a combinational crash condition
* Prevent normal users from resetting some GUCs in
their own role definitions
* Correctly apply constraint exclusion in UPDATE and DELETE queries
* Minor fixes for WAL archiving
* Update timezone data for 12 zones

See the release notes for a full list of changes with details.

As with other minor releases, users are not required to dump and reload
their database in order to apply this update release; you may simply shut
down PostgreSQL and update its binaries. Users skipping more than one
update may need to check the release notes for extra, post-update steps.

* Release Notes
http://www.postgresql.org/docs/current/static/release.html
* Installation Packages
http://www.postgresql.org/ftp/binary/
* Source Code
http://www.postgresql.org/ftp/source/
* Windows and One-click Installer
http://www.enterprisedb.com/products/pgdownload.do
* Details of Security Issues
http://www.postgresql.org/support/security

The PostgreSQL Global Development Group will stop releasing updates for
PostgreSQL versions 7.4 and 8.0 after June of 2010. We urge users of those
versions to start planning to upgrade now.