Features Download
From: David Fetter <david <at> fetter.org>
Subject: == PostgreSQL Weekly News - April 07 2013 ==
Newsgroups: gmane.comp.db.postgresql.announce
Date: Monday 8th April 2013 07:04:09 UTC (over 3 years ago)
== PostgreSQL Weekly News - April 07 2013 ==

Security releases 9.2.4, 9.1.9, 9.0.13, and 8.4.17 are out now.
Upgrade immediately if not sooner!
Release FAQ:

PGConf.EU 2013 will be held on Oct 29-Nov 1, in at the Conrad Hotel in
downtown Dublin, Ireland.

== PostgreSQL Product News ==

psycopg2 2.5, a Python connector for PostgreSQL, released.

== PostgreSQL Jobs for April ==


== PostgreSQL Local ==

PGCon 2013 will be held May 23-24 2013, in Ottawa at the University of

The 6th annual "Prague PostgreSQL Developers Day" conference,
organized by CSPUG (Czech and Slovak PostgreSQL Users Group), will be
held on May 30, 2013 at Faculty of Mathematics and Physics, Charles
University (Malostranske namesti 25, Prague).  The CfP is open until
April 14, 2013 .  More information in Czech is at

PG Day France is the major French-speaking PostgreSQL community event.
It will be held June 13, 2013 in Nantes, France.

The CfPs for Char(13) and PGday UK, July 11 and 12, 2013,
respectively, are out and close April 19, 2013.  For Char(13), write
speakers AT char13 DOT info; for PGday UK, speakers AT
postgresqlusergroup DOT org DOT uk.

PostgreSQL Brazil will be held August 15-17, 2013 in Porto Velho, RO,

Save The Date!
Postgres Open 2013 will be in Chicago, IL, USA, September 16-18.
    Hotel Sax:
    Early Bird registration:

== PostgreSQL in the News ==

Planet PostgreSQL: http://planet.postgresql.org/

PostgreSQL Weekly News is brought to you this week by David Fetter

Submit news and announcements by Sunday at 3:00pm Pacific time.
Please send English language ones to [email protected], German language
to [email protected], Italian language to [email protected]  Spanish language
to [email protected]

== Applied Patches ==

Peter Eisentraut pushed:

- Revert "ecpg: Don't link compatlib with libpq".  This reverts commit
  3780fc679cc428c1f211e1728c4281ca15e9746b.  HP-UX didn't like it.
  There would probably be a way to fix that, but since the net effect
  of all of this is zero because ecpg ends up using libpq anyway, it's
  not worth bothering further.

- doc: Fix number of columns in table

Tom Lane pushed:

- Make REPLICATION privilege checks test current user not
  authenticated user.  The pg_start_backup() and pg_stop_backup()
  functions checked the privileges of the initially-authenticated user
  rather than the current user, which is wrong.  For example, a
  user-defined index function could successfully call these functions
  when executed by ANALYZE within autovacuum.  This could allow an
  attacker with valid but low-privilege database access to interfere
  with creation of routine backups.  Reported and fixed by Noah Misch.
  Security: CVE-2013-1901

- Avoid updating our PgBackendStatus entry when track_activities is
  off.  The point of turning off track_activities is to avoid this
  reporting overhead, but a thinko in commit
  4f42b546fd87a80be30c53a0f2c897acb826ad52 caused
  pgstat_report_activity() to perform half of its updates anyway.  Fix
  that, and also make sure that we clear all the now-disabled fields
  when transitioning to the non-reporting state.

- Fix typo in FDW docs.  Laurenz Albe

- Minor robustness improvements for isolationtester.  Notice and
  complain about PQcancel() failures.  Also, don't dump core if an
  error PGresult doesn't contain severity and message subfields, as it
  might not if it was generated by libpq itself.  (We have a
  longstanding TODO item to improve that, but in the meantime
  isolationtester had better cope.) I tripped across the latter item
  while investigating a trouble report on buildfarm member spoonbill.
  As for the former, there's no evidence that PQcancel failure is
  actually involved in spoonbill's problem, but it still seems like a
  bad idea to ignore an error return code.

- Update release notes for 9.2.4, 9.1.9, 9.0.13, 8.4.17.  Security:
  CVE-2013-1899, CVE-2013-1901

- Fix insecure parsing of server command-line switches.  An oversight
  in commit e710b65c1c56ca7b91f662c63d37ff2e72862a94 allowed database
  names beginning with "-" to be treated as though they were secure
  command-line switches; and this switch processing occurs before
  client authentication, so that even an unprivileged remote attacker
  could exploit the bug, needing only connectivity to the postmaster's
  port.  Assorted exploits for this are possible, some requiring a
  valid database login, some not.  The worst known problem is that the
  "-r" switch can be invoked to redirect the process's stderr output,
  so that subsequent error messages will be appended to any file the
  server can write.  This can for example be used to corrupt the
  server's configuration files, so that it will fail when next
  restarted.  Complete destruction of database tables is also
  possible.  Fix by keeping the database name extracted from a startup
  packet fully separate from command-line switches, as had already
  been done with the user name field.  The Postgres project thanks
  Mitsumasa Kondo for discovering this bug, Kyotaro Horiguchi for
  drafting the fix, and Noah Misch for recognizing the full extent of
  the danger.  Security: CVE-2013-1899

- Improve documentation about the relationship of extensions and
  schemas.  There's been some confusion expressed about this point, so
  clarify.  Extended version of a patch by David Wheeler.

- Fix line count in slashUsage().  Counting newlines shows that quite
  a few recent patches have neglected to update the output-lines count
  given to PageOutput().  Fortunately it's not terribly critical that
  this be exact, since we long since exceeded the height of most
  people's terminal windows.  Still, maybe we ought to think of a way
  to not have to maintain this manually anymore.

- Add \watch [SEC] command to psql.  This allows convenient
  re-execution of commands.  Will Leinweber, reviewed by Peter
  Eisentraut, Daniel Farina, and Tom Lane

- In isolationtester, retry after EINTR return from select(2).  Per
  report from Jaime Casanova.  Very curious that no one else has seen
  this failure ... but the code is clearly wrong as-is.

- Get rid of USE_WIDE_UPPER_LOWER dependency in trigram construction.
  contrib/pg_trgm's make_trigrams() was coded to ignore multibyte
  character boundaries and just make trigrams from bytes if
  USE_WIDE_UPPER_LOWER wasn't defined.  This is a bit odd, since
  there's no obvious reason why trigram compaction rules should depend
  on the presence of towlower() and friends.  What's more, there was
  an Assert() that would fail if that code path was fed any multibyte
  characters.  We need to do something about this since the pending
  regex-indexing patch has an assumption that you get just one "trgm"
  from any three characters.  The best solution seems to be to remove
  the USE_WIDE_UPPER_LOWER dependency, which shouldn't really have
  been there in the first place.  The second loop in make_trigrams()
  is now just a fast path and not a potentially incompatible
  algorithm.  If there is anybody still using Postgres on machines
  without wcstombs() or towlower(), and they have non-ASCII data
  indexed by pg_trgm, they'll need to REINDEX those indexes after
  pg_upgrade to 9.3, else searches may fail incorrectly. It seems
  likely that there are no such installations, though.  In passing,
  rename cnt_trigram to compact_trigram, which seems to better
  describe its functionality, and improve make_trigrams' test for
  whether it has to use the slow path or not (per a suggestion from
  Alexander Korotkov).

Heikki Linnakangas pushed:

- Calculate # of semaphores correctly with --disable-spinlocks.  The
  old formula didn't take into account that each WAL sender process
  needs a spinlock. We had also already exceeded the fixed number of
  spinlocks reserved for misc purposes (10). Bump that to 30.
  Backpatch to 9.0, where WAL senders were introduced. If I counted
  correctly, 9.0 had exactly 10 predefined spinlocks, and 9.1 exceeded
  that, but bump the limit in 9.0 too because 10 is uncomfortably
  close to the edge.

- Fix crash on compiling a regular expression with more than 32k
  colors.  Throw an error instead.  Backpatch to all supported

Andrew Dunstan pushed:

- Fix a few thinkos in the JSON functions docs.  Dickson S. Guedes

- Fix off by one error in JSON extract path code.  Bug report by David
  Wheeler, diagnosis assistance from Tom Lane.

Bruce Momjian pushed:

- psql:  fix startup crash caused by PSQLRC containing a tilde.
  'strdup' the PSQLRC environment variable value before calling a
  routine that might free() it.  Backpatch to 9.2, where the bug first

Robert Haas pushed:

- sepgsql: Enforce db_schema:search permission.  KaiGai Kohei, with
  comment and doc wordsmithing by me

Simon Riggs pushed:

  and ALTER TABLE SET TABLESPACE I erroneously set checksum before
  log_newpage, which sets the LSN and invalidates the checksum. So set
  checksum immediately *after* log_newpage.  Bug report Fujii Masao,
  Fix and patch by Jeff Davis

- Tune BufferGetLSNAtomic() when checksums !enabled.  From performance
  analysis by Heikki Linnakangas

== Rejected Patches (for now) ==

No one was disappointed this week :-)

== Pending Patches ==

Jeff Janes sent in another revision of a patch to add a --startup
option to pgbench.

Tom Lane sent in a patch to fix some mis-estimation of the costs of
hash joins.

Alexander Korotkov and Tom Lane, with contributions of performance
numbers from Erik Rijkers, sent in more revisions of the patch to
allow indexing DFA regexes.

Jeff Janes sent in another revision of a patch to change the units of
spinlock_delay to microseconds.

Dimitri Fontaine sent in two more revisions of a patch to add
extension templates.

Andres Freund sent in a patch to add option for dumping full page
writes to pg_dump.

Michael Paquier sent in a patch to fix a typo in the documentation for
JSON functions.

Heikki Linnakangas sent in a patch to ensure that enough WAL segments
are kept in situations where they might not have been.

Heikki Linnakangas sent in a patch to prevent backend crashes with
certain unusual regexes.

Simon Riggs, Andres Freund and Jeff Davis traded patches to fix some
corner cases in the page checksum code.

Grzegorz Jaskiewicz and Robert Haas traded patches to remove some
formatting dead code.

Kevin Grittner sent in a patch to fix some scannability issues in
materialized views.

Jeff Janes sent in a patch to help ensure that the right WALs get

Jeff Janes sent in a patch to ensure that the process title of the
autovacuum worker reflects what it's doing at the time.

Tomas Vondra sent in a patch to implement pg_stat_agg_database.

Sent via pgsql-announce mailing list ([email protected])
To make changes to your subscription:
CD: 3ms