== PostgreSQL Weekly News - April 07 2013 ==
От | David Fetter |
---|---|
Тема | == PostgreSQL Weekly News - April 07 2013 == |
Дата | |
Msg-id | 20130408070409.GI22216@fetter.org обсуждение исходный текст |
Список | pgsql-announce |
== PostgreSQL Weekly News - April 07 2013 == Security releases 9.2.4, 9.1.9, 9.0.13, and 8.4.17 are out now. Upgrade immediately if not sooner! http://www.postgresql.org/about/news/1456/ Release FAQ: http://www.postgresql.org/support/security/faq/2013-04-04/ PGConf.EU 2013 will be held on Oct 29-Nov 1, in at the Conrad Hotel in downtown Dublin, Ireland. http://2013.pgconf.eu/ == PostgreSQL Product News == psycopg2 2.5, a Python connector for PostgreSQL, released. http://initd.org/psycopg/articles/2013/04/07/psycopg-25-released/ == PostgreSQL Jobs for April == http://archives.postgresql.org/pgsql-jobs/2013-04/threads.php == PostgreSQL Local == PGCon 2013 will be held May 23-24 2013, in Ottawa at the University of Ottawa. http://www.pgcon.org/2013/ The 6th annual "Prague PostgreSQL Developers Day" conference, organized by CSPUG (Czech and Slovak PostgreSQL Users Group), will be held on May 30, 2013 at Faculty of Mathematics and Physics, Charles University (Malostranske namesti 25, Prague). The CfP is open until April 14, 2013 <info AT p2d2 DOT cz>. More information in Czech is at http://www.p2d2.cz/ PG Day France is the major French-speaking PostgreSQL community event. It will be held June 13, 2013 in Nantes, France. http://pgday.fr/ The CfPs for Char(13) and PGday UK, July 11 and 12, 2013, respectively, are out and close April 19, 2013. For Char(13), write speakers AT char13 DOT info; for PGday UK, speakers AT postgresqlusergroup DOT org DOT uk. PostgreSQL Brazil will be held August 15-17, 2013 in Porto Velho, RO, Brazil. http://pgbr.postgresql.org.br/2013/chamada.en.php Save The Date! Postgres Open 2013 will be in Chicago, IL, USA, September 16-18. Hotel Sax: https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=888761&hotelID=6865 Early Bird registration: http://postgresopen-eac2.eventbrite.com/ == PostgreSQL in the News == Planet PostgreSQL: http://planet.postgresql.org/ PostgreSQL Weekly News is brought to you this week by David Fetter Submit news and announcements by Sunday at 3:00pm Pacific time. Please send English language ones to david@fetter.org, German language to pwn@pgug.de, Italian language to pwn@itpug.org. Spanish language to pwn@arpug.com.ar. == Applied Patches == Peter Eisentraut pushed: - Revert "ecpg: Don't link compatlib with libpq". This reverts commit 3780fc679cc428c1f211e1728c4281ca15e9746b. HP-UX didn't like it. There would probably be a way to fix that, but since the net effect of all of this is zero because ecpg ends up using libpq anyway, it's not worth bothering further. http://git.postgresql.org/pg/commitdiff/85079078acb4f120335f54f38f93635dd8c8b83d - doc: Fix number of columns in table http://git.postgresql.org/pg/commitdiff/e3f719c3671c293bf9e1a7293c7bd5eb6d9a2611 Tom Lane pushed: - Make REPLICATION privilege checks test current user not authenticated user. The pg_start_backup() and pg_stop_backup() functions checked the privileges of the initially-authenticated user rather than the current user, which is wrong. For example, a user-defined index function could successfully call these functions when executed by ANALYZE within autovacuum. This could allow an attacker with valid but low-privilege database access to interfere with creation of routine backups. Reported and fixed by Noah Misch. Security: CVE-2013-1901 http://git.postgresql.org/pg/commitdiff/ce9ab88981495d975aade8fc664f99f68fc18e2b - Avoid updating our PgBackendStatus entry when track_activities is off. The point of turning off track_activities is to avoid this reporting overhead, but a thinko in commit 4f42b546fd87a80be30c53a0f2c897acb826ad52 caused pgstat_report_activity() to perform half of its updates anyway. Fix that, and also make sure that we clear all the now-disabled fields when transitioning to the non-reporting state. http://git.postgresql.org/pg/commitdiff/f7b0006f42913b6d641c9f0bef6fad1f670b9194 - Fix typo in FDW docs. Laurenz Albe http://git.postgresql.org/pg/commitdiff/0f1345d38b4d7b35175d4f4be322da0aa6d6aaeb - Minor robustness improvements for isolationtester. Notice and complain about PQcancel() failures. Also, don't dump core if an error PGresult doesn't contain severity and message subfields, as it might not if it was generated by libpq itself. (We have a longstanding TODO item to improve that, but in the meantime isolationtester had better cope.) I tripped across the latter item while investigating a trouble report on buildfarm member spoonbill. As for the former, there's no evidence that PQcancel failure is actually involved in spoonbill's problem, but it still seems like a bad idea to ignore an error return code. http://git.postgresql.org/pg/commitdiff/845d335a90b684dd51e80a6470ebb923a59a1f91 - Update release notes for 9.2.4, 9.1.9, 9.0.13, 8.4.17. Security: CVE-2013-1899, CVE-2013-1901 http://git.postgresql.org/pg/commitdiff/89b661bab99e8573fad271f68755ba286932dec2 - Fix insecure parsing of server command-line switches. An oversight in commit e710b65c1c56ca7b91f662c63d37ff2e72862a94 allowed database names beginning with "-" to be treated as though they were secure command-line switches; and this switch processing occurs before client authentication, so that even an unprivileged remote attacker could exploit the bug, needing only connectivity to the postmaster's port. Assorted exploits for this are possible, some requiring a valid database login, some not. The worst known problem is that the "-r" switch can be invoked to redirect the process's stderr output, so that subsequent error messages will be appended to any file the server can write. This can for example be used to corrupt the server's configuration files, so that it will fail when next restarted. Complete destruction of database tables is also possible. Fix by keeping the database name extracted from a startup packet fully separate from command-line switches, as had already been done with the user name field. The Postgres project thanks Mitsumasa Kondo for discovering this bug, Kyotaro Horiguchi for drafting the fix, and Noah Misch for recognizing the full extent of the danger. Security: CVE-2013-1899 http://git.postgresql.org/pg/commitdiff/17fe2793ea7fe269ed616cb305150b6cf38dbaa8 - Improve documentation about the relationship of extensions and schemas. There's been some confusion expressed about this point, so clarify. Extended version of a patch by David Wheeler. http://git.postgresql.org/pg/commitdiff/52f436b807b0d02203ea6be19bafa56e4e1381e8 - Fix line count in slashUsage(). Counting newlines shows that quite a few recent patches have neglected to update the output-lines count given to PageOutput(). Fortunately it's not terribly critical that this be exact, since we long since exceeded the height of most people's terminal windows. Still, maybe we ought to think of a way to not have to maintain this manually anymore. http://git.postgresql.org/pg/commitdiff/927e1dc96ce3eb4a618fd7b67f69eec72b56d850 - Add \watch [SEC] command to psql. This allows convenient re-execution of commands. Will Leinweber, reviewed by Peter Eisentraut, Daniel Farina, and Tom Lane http://git.postgresql.org/pg/commitdiff/c6a3fce7dd4dae6e1a005e5b09cdd7c1d7f9c4f4 - In isolationtester, retry after EINTR return from select(2). Per report from Jaime Casanova. Very curious that no one else has seen this failure ... but the code is clearly wrong as-is. http://git.postgresql.org/pg/commitdiff/faf4726c9fd5748ad25dbce55a7d31deeabe9866 - Get rid of USE_WIDE_UPPER_LOWER dependency in trigram construction. contrib/pg_trgm's make_trigrams() was coded to ignore multibyte character boundaries and just make trigrams from bytes if USE_WIDE_UPPER_LOWER wasn't defined. This is a bit odd, since there's no obvious reason why trigram compaction rules should depend on the presence of towlower() and friends. What's more, there was an Assert() that would fail if that code path was fed any multibyte characters. We need to do something about this since the pending regex-indexing patch has an assumption that you get just one "trgm" from any three characters. The best solution seems to be to remove the USE_WIDE_UPPER_LOWER dependency, which shouldn't really have been there in the first place. The second loop in make_trigrams() is now just a fast path and not a potentially incompatible algorithm. If there is anybody still using Postgres on machines without wcstombs() or towlower(), and they have non-ASCII data indexed by pg_trgm, they'll need to REINDEX those indexes after pg_upgrade to 9.3, else searches may fail incorrectly. It seems likely that there are no such installations, though. In passing, rename cnt_trigram to compact_trigram, which seems to better describe its functionality, and improve make_trigrams' test for whether it has to use the slow path or not (per a suggestion from Alexander Korotkov). http://git.postgresql.org/pg/commitdiff/7844608e54a3a2e3dee461b00fd6ef028a845d7c Heikki Linnakangas pushed: - Calculate # of semaphores correctly with --disable-spinlocks. The old formula didn't take into account that each WAL sender process needs a spinlock. We had also already exceeded the fixed number of spinlocks reserved for misc purposes (10). Bump that to 30. Backpatch to 9.0, where WAL senders were introduced. If I counted correctly, 9.0 had exactly 10 predefined spinlocks, and 9.1 exceeded that, but bump the limit in 9.0 too because 10 is uncomfortably close to the edge. http://git.postgresql.org/pg/commitdiff/b8ed4cc9627de437e5eafdb81631a0d0f063abb3 - Fix crash on compiling a regular expression with more than 32k colors. Throw an error instead. Backpatch to all supported branches. http://git.postgresql.org/pg/commitdiff/bf2b0a147857f63daa2e5c17eed0169861371af8 Andrew Dunstan pushed: - Fix a few thinkos in the JSON functions docs. Dickson S. Guedes http://git.postgresql.org/pg/commitdiff/d7d5832012ae5174707643af1a450d26d3350719 - Fix off by one error in JSON extract path code. Bug report by David Wheeler, diagnosis assistance from Tom Lane. http://git.postgresql.org/pg/commitdiff/e75feb28341ea49e9d41266906e701a4e3742e2e Bruce Momjian pushed: - psql: fix startup crash caused by PSQLRC containing a tilde. 'strdup' the PSQLRC environment variable value before calling a routine that might free() it. Backpatch to 9.2, where the bug first appeared. http://git.postgresql.org/pg/commitdiff/48a2cd370e2610f0a196240aed9f5abd82d3dada Robert Haas pushed: - sepgsql: Enforce db_schema:search permission. KaiGai Kohei, with comment and doc wordsmithing by me http://git.postgresql.org/pg/commitdiff/e965e6344cfaff0708a032721b56f61eea777bc5 Simon Riggs pushed: - Fix checksums for CLUSTER, VACUUM FULL etc. In CLUSTER, VACUUM FULL and ALTER TABLE SET TABLESPACE I erroneously set checksum before log_newpage, which sets the LSN and invalidates the checksum. So set checksum immediately *after* log_newpage. Bug report Fujii Masao, Fix and patch by Jeff Davis http://git.postgresql.org/pg/commitdiff/cf8dc9e10c0d954970cbe5ca9be4c6b881cde482 - Tune BufferGetLSNAtomic() when checksums !enabled. From performance analysis by Heikki Linnakangas http://git.postgresql.org/pg/commitdiff/1be203519ac4da238bf6dfe8f7015d5780723e0f == Rejected Patches (for now) == No one was disappointed this week :-) == Pending Patches == Jeff Janes sent in another revision of a patch to add a --startup option to pgbench. Tom Lane sent in a patch to fix some mis-estimation of the costs of hash joins. Alexander Korotkov and Tom Lane, with contributions of performance numbers from Erik Rijkers, sent in more revisions of the patch to allow indexing DFA regexes. Jeff Janes sent in another revision of a patch to change the units of spinlock_delay to microseconds. Dimitri Fontaine sent in two more revisions of a patch to add extension templates. Andres Freund sent in a patch to add option for dumping full page writes to pg_dump. Michael Paquier sent in a patch to fix a typo in the documentation for JSON functions. Heikki Linnakangas sent in a patch to ensure that enough WAL segments are kept in situations where they might not have been. Heikki Linnakangas sent in a patch to prevent backend crashes with certain unusual regexes. Simon Riggs, Andres Freund and Jeff Davis traded patches to fix some corner cases in the page checksum code. Grzegorz Jaskiewicz and Robert Haas traded patches to remove some formatting dead code. Kevin Grittner sent in a patch to fix some scannability issues in materialized views. Jeff Janes sent in a patch to help ensure that the right WALs get saved. Jeff Janes sent in a patch to ensure that the process title of the autovacuum worker reflects what it's doing at the time. Tomas Vondra sent in a patch to implement pg_stat_agg_database.
В списке pgsql-announce по дате отправления: