Обсуждение: SECURITY RELEASES: 7.2.8 - 7.3.10 - 7.4.8 - 8.0.3

In order to address several security issues identified over the past two
weeks, as well as one "low probability" race condition, we are releasing
new version of PostgreSQL as far back as the 7.2.x branch.

Please note that the security issues were those already reported by Tom
Lane, as well as a manual fix for them.  These releases are mainly to
ensure that those installing and/or upgrading existing installations have
those fixes automatically.

For details on  the fixes, please see the HISTORY file included in the
Release, but a summary consists of:

      * Change encoding function signature to prevent misuse
      * Change "contrib/tsearch2" to avoid unsafe use of INTERNAL function
        results
      * Repair race condition between relation extension and VACUUM
        This could theoretically have caused loss of a page's worth of
        freshly-inserted data, although the scenario seems of very low
        probability. There are no known cases of it having caused more than
        an Assert failure.

Downloads are available via:

     http://www.postgresql.org/download

Please report any bugs to:

     pgsql-bugs@postgresql.org

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664

Neil Conway <neilc@samurai.com> writes:
> Note that if you're upgrading within a release series (e.g. 8.0.x to
> 8.0.3) without a dump and reload, you will _not_ get the necessary
> system catalog changes automatically. Tom's earlier mail describes the
> procedure needed to correct the system catalog:

>      http://www.postgresql.org/about/news.315

Also, note that that message was the zero-day-security-problem response
to the issue, and that we since figured out cleaner responses.  If you
haven't yet implemented this in your own DBs, I would suggest following
the procedures given in the final release notes, eg
http://developer.postgresql.org/docs/postgres/release-7-4-8.html

I expect these notes will shortly show up in the static documentation, eg
http://www.postgresql.org/docs/7.4/static/release.html
but they aren't there yet as I set finger to keyboard.

            regards, tom lane

Marc G. Fournier wrote:
> Please note that the security issues were those already reported by Tom
> Lane, as well as a manual fix for them.  These releases are mainly to
> ensure that those installing and/or upgrading existing installations
> have those fixes automatically.

Note that if you're upgrading within a release series (e.g. 8.0.x to
8.0.3) without a dump and reload, you will _not_ get the necessary
system catalog changes automatically. Tom's earlier mail describes the
procedure needed to correct the system catalog:

     http://www.postgresql.org/about/news.315

-Neil