Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <josh <at> postgresql.org>
Subject: PostgreSQL 2012-08-17 Security Update Release
Newsgroups: gmane.comp.db.postgresql.announce
Date: Friday 17th August 2012 14:53:02 UTC (over 4 years ago)
The PostgreSQL Global Development Group today released security updates 
for all active branches of the PostgreSQL database system, including 
versions 9.1.15, 9.0.9, 8.4.13 and 8.3.20. This update patches security 
holes associated with libxml2 and libxslt, similar to those affecting 
other open source projects.  All users are urged to update their 
installations at the first available opportunity.

This security release fixes a vulnerability in the built-in XML 
functionality, and a vulnerability in the XSLT functionality supplied by 
the optional XML2 extension.  Both vulnerabilities allow reading of 
arbitrary files by any authenticated database user, and the XSLT 
vulnerability allows writing files as well.  The fixes cause limited 
backwards compatibility issues.  These issues correspond to the 
following two vulnerabilities:

* CVE-2012-3488: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488
* CVE-2012-3489: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489

This release also contains several fixes to version 9.1, and a smaller 
number of fixes to older versions, including:

* Updates and corrections to time zone data
* Multiple documentation updates and corrections
* Add limit on max_wal_senders
* Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING 
INDEX.
* Correct behavior of unicode conversions for PL/Python
* Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT).
* Fix syslogger so that log_truncate_on_rotation works in the first 
rotation.
* Only allow autovacuum to be auto-canceled by a directly blocked 
process.
* Improve fsync request queue operation
* Prevent corner-case core dump in rfree().
* Fix Walsender so that it responds correctly to timeouts and deadlocks
* Several PL/Perl fixes for encoding-related issues
* Make selectivity operators use the correct collation
* Prevent unsuitable slaves from being selected for synchronous 
replication
* Make REASSIGN OWNED work on extensions as well
* Fix race condition with ENUM comparisons
* Make NOTIFY cope with out-of-disk-space
* Fix memory leak in ARRAY subselect queries
* Reduce data loss at replication failover
* Fix behavior of subtransactions with Hot Standby

Users who are relying on the built-in XML functionality to validate 
external DTDs will need to implement a workaround, as this security 
patch disables that functionality.  Users who are using xslt_process() 
to fetch documents or stylesheets from external URLs will no longer be 
able to do so.  The PostgreSQL project regrets the need to disable both 
of these features in order to maintain our security standards.  These 
security issues with XML are substantially similar to issues patched 
recently by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 
(CVE-2012-0057) projects.

As with other minor releases, users are not required to dump and reload 
their database or use `pg_upgrade` in order to apply this update 
release; you may simply shut down PostgreSQL and update its binaries. 
Perform post-update steps after the database is restarted.

All supported versions of PostgreSQL are affected. See the release 
notes (http://www.postgresql.org/docs/9.1/static/release.html)
for each 
version for a full list of changes with details of the fixes and steps.

Download new versions now at the main download page: 
http://www.postgresql.org/download/.


-- 
Sent via pgsql-announce mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-announce
 
CD: 3ms