== PostgreSQL Weekly News - April 07 2013 ==
Security releases 9.2.4, 9.1.9, 9.0.13, and 8.4.17 are out now.
Upgrade immediately if not sooner!
PGConf.EU 2013 will be held on Oct 29-Nov 1, in at the Conrad Hotel in
downtown Dublin, Ireland.
== PostgreSQL Product News ==
psycopg2 2.5, a Python connector for PostgreSQL, released.
== PostgreSQL Jobs for April ==
== PostgreSQL Local ==
PGCon 2013 will be held May 23-24 2013, in Ottawa at the University of
The 6th annual "Prague PostgreSQL Developers Day" conference,
organized by CSPUG (Czech and Slovak PostgreSQL Users Group), will be
held on May 30, 2013 at Faculty of Mathematics and Physics, Charles
University (Malostranske namesti 25, Prague). The CfP is open until
April 14, 2013 . More information in Czech is at
PG Day France is the major French-speaking PostgreSQL community event.
It will be held June 13, 2013 in Nantes, France.
The CfPs for Char(13) and PGday UK, July 11 and 12, 2013,
respectively, are out and close April 19, 2013. For Char(13), write
speakers AT char13 DOT info; for PGday UK, speakers AT
postgresqlusergroup DOT org DOT uk.
PostgreSQL Brazil will be held August 15-17, 2013 in Porto Velho, RO,
Save The Date!
Postgres Open 2013 will be in Chicago, IL, USA, September 16-18.
Early Bird registration:
== PostgreSQL in the News ==
Planet PostgreSQL: http://planet.postgresql.org/
PostgreSQL Weekly News is brought to you this week by David Fetter
Submit news and announcements by Sunday at 3:00pm Pacific time.
Please send English language ones to [email protected], German language
to [email protected], Italian language to [email protected] Spanish language
to [email protected]
== Applied Patches ==
Peter Eisentraut pushed:
- Revert "ecpg: Don't link compatlib with libpq". This reverts commit
3780fc679cc428c1f211e1728c4281ca15e9746b. HP-UX didn't like it.
There would probably be a way to fix that, but since the net effect
of all of this is zero because ecpg ends up using libpq anyway, it's
not worth bothering further.
- doc: Fix number of columns in table
Tom Lane pushed:
- Make REPLICATION privilege checks test current user not
authenticated user. The pg_start_backup() and pg_stop_backup()
functions checked the privileges of the initially-authenticated user
rather than the current user, which is wrong. For example, a
user-defined index function could successfully call these functions
when executed by ANALYZE within autovacuum. This could allow an
attacker with valid but low-privilege database access to interfere
with creation of routine backups. Reported and fixed by Noah Misch.
- Avoid updating our PgBackendStatus entry when track_activities is
off. The point of turning off track_activities is to avoid this
reporting overhead, but a thinko in commit
pgstat_report_activity() to perform half of its updates anyway. Fix
that, and also make sure that we clear all the now-disabled fields
when transitioning to the non-reporting state.
- Fix typo in FDW docs. Laurenz Albe
- Minor robustness improvements for isolationtester. Notice and
complain about PQcancel() failures. Also, don't dump core if an
error PGresult doesn't contain severity and message subfields, as it
might not if it was generated by libpq itself. (We have a
longstanding TODO item to improve that, but in the meantime
isolationtester had better cope.) I tripped across the latter item
while investigating a trouble report on buildfarm member spoonbill.
As for the former, there's no evidence that PQcancel failure is
actually involved in spoonbill's problem, but it still seems like a
bad idea to ignore an error return code.
- Update release notes for 9.2.4, 9.1.9, 9.0.13, 8.4.17. Security:
- Fix insecure parsing of server command-line switches. An oversight
in commit e710b65c1c56ca7b91f662c63d37ff2e72862a94 allowed database
names beginning with "-" to be treated as though they were secure
command-line switches; and this switch processing occurs before
client authentication, so that even an unprivileged remote attacker
could exploit the bug, needing only connectivity to the postmaster's
port. Assorted exploits for this are possible, some requiring a
valid database login, some not. The worst known problem is that the
"-r" switch can be invoked to redirect the process's stderr output,
so that subsequent error messages will be appended to any file the
server can write. This can for example be used to corrupt the
server's configuration files, so that it will fail when next
restarted. Complete destruction of database tables is also
possible. Fix by keeping the database name extracted from a startup
packet fully separate from command-line switches, as had already
been done with the user name field. The Postgres project thanks
Mitsumasa Kondo for discovering this bug, Kyotaro Horiguchi for
drafting the fix, and Noah Misch for recognizing the full extent of
the danger. Security: CVE-2013-1899
- Improve documentation about the relationship of extensions and
schemas. There's been some confusion expressed about this point, so
clarify. Extended version of a patch by David Wheeler.
- Fix line count in slashUsage(). Counting newlines shows that quite
a few recent patches have neglected to update the output-lines count
given to PageOutput(). Fortunately it's not terribly critical that
this be exact, since we long since exceeded the height of most
people's terminal windows. Still, maybe we ought to think of a way
to not have to maintain this manually anymore.
- Add \watch [SEC] command to psql. This allows convenient
re-execution of commands. Will Leinweber, reviewed by Peter
Eisentraut, Daniel Farina, and Tom Lane
- In isolationtester, retry after EINTR return from select(2). Per
report from Jaime Casanova. Very curious that no one else has seen
this failure ... but the code is clearly wrong as-is.
- Get rid of USE_WIDE_UPPER_LOWER dependency in trigram construction.
contrib/pg_trgm's make_trigrams() was coded to ignore multibyte
character boundaries and just make trigrams from bytes if
USE_WIDE_UPPER_LOWER wasn't defined. This is a bit odd, since
there's no obvious reason why trigram compaction rules should depend
on the presence of towlower() and friends. What's more, there was
an Assert() that would fail if that code path was fed any multibyte
characters. We need to do something about this since the pending
regex-indexing patch has an assumption that you get just one "trgm"
from any three characters. The best solution seems to be to remove
the USE_WIDE_UPPER_LOWER dependency, which shouldn't really have
been there in the first place. The second loop in make_trigrams()
is now just a fast path and not a potentially incompatible
algorithm. If there is anybody still using Postgres on machines
without wcstombs() or towlower(), and they have non-ASCII data
indexed by pg_trgm, they'll need to REINDEX those indexes after
pg_upgrade to 9.3, else searches may fail incorrectly. It seems
likely that there are no such installations, though. In passing,
rename cnt_trigram to compact_trigram, which seems to better
describe its functionality, and improve make_trigrams' test for
whether it has to use the slow path or not (per a suggestion from
Heikki Linnakangas pushed:
- Calculate # of semaphores correctly with --disable-spinlocks. The
old formula didn't take into account that each WAL sender process
needs a spinlock. We had also already exceeded the fixed number of
spinlocks reserved for misc purposes (10). Bump that to 30.
Backpatch to 9.0, where WAL senders were introduced. If I counted
correctly, 9.0 had exactly 10 predefined spinlocks, and 9.1 exceeded
that, but bump the limit in 9.0 too because 10 is uncomfortably
close to the edge.
- Fix crash on compiling a regular expression with more than 32k
colors. Throw an error instead. Backpatch to all supported
Andrew Dunstan pushed:
- Fix a few thinkos in the JSON functions docs. Dickson S. Guedes
- Fix off by one error in JSON extract path code. Bug report by David
Wheeler, diagnosis assistance from Tom Lane.
Bruce Momjian pushed:
- psql: fix startup crash caused by PSQLRC containing a tilde.
'strdup' the PSQLRC environment variable value before calling a
routine that might free() it. Backpatch to 9.2, where the bug first
Robert Haas pushed:
- sepgsql: Enforce db_schema:search permission. KaiGai Kohei, with
comment and doc wordsmithing by me
Simon Riggs pushed:
- Fix checksums for CLUSTER, VACUUM FULL etc. In CLUSTER, VACUUM FULL
and ALTER TABLE SET TABLESPACE I erroneously set checksum before
log_newpage, which sets the LSN and invalidates the checksum. So set
checksum immediately *after* log_newpage. Bug report Fujii Masao,
Fix and patch by Jeff Davis
- Tune BufferGetLSNAtomic() when checksums !enabled. From performance
analysis by Heikki Linnakangas
== Rejected Patches (for now) ==
No one was disappointed this week :-)
== Pending Patches ==
Jeff Janes sent in another revision of a patch to add a --startup
option to pgbench.
Tom Lane sent in a patch to fix some mis-estimation of the costs of
Alexander Korotkov and Tom Lane, with contributions of performance
numbers from Erik Rijkers, sent in more revisions of the patch to
allow indexing DFA regexes.
Jeff Janes sent in another revision of a patch to change the units of
spinlock_delay to microseconds.
Dimitri Fontaine sent in two more revisions of a patch to add
Andres Freund sent in a patch to add option for dumping full page
writes to pg_dump.
Michael Paquier sent in a patch to fix a typo in the documentation for
Heikki Linnakangas sent in a patch to ensure that enough WAL segments
are kept in situations where they might not have been.
Heikki Linnakangas sent in a patch to prevent backend crashes with
certain unusual regexes.
Simon Riggs, Andres Freund and Jeff Davis traded patches to fix some
corner cases in the page checksum code.
Grzegorz Jaskiewicz and Robert Haas traded patches to remove some
formatting dead code.
Kevin Grittner sent in a patch to fix some scannability issues in
Jeff Janes sent in a patch to help ensure that the right WALs get
Jeff Janes sent in a patch to ensure that the process title of the
autovacuum worker reflects what it's doing at the time.
Tomas Vondra sent in a patch to implement pg_stat_agg_database.
Sent via pgsql-announce mailing list ([email protected])
To make changes to your subscription: