postgresql-9.4.1

[Fernando de Oliveira]

​http://ftp.postgresql.org/pub/source/v9.4.1/postgresql-9.4.1.tar.bz2

​http://www.postgresql.org/about/news/1569/

The PostgreSQL Global Development Group has released an important update
with fixes for multiple security issues to all supported versions of the
PostgreSQL database system, which includes minor versions 9.4.1, 9.3.6,
9.2.10, 9.1.15, and 9.0.19. This update includes both security fixes and
fixes for issues discovered since the last release. In particular for
the 9.4 update, there is a change to the way unicode strings are escaped
for the JSON and JSONB data types.

All users should update their PostgreSQL installation at the next
opportunity.

Security Fixes

This update fixes multiple security issues reported in PostgreSQL over
the past few months. All of these issues require prior authentication,
and some require additional conditions, and as such are not considered
generally urgent. However, users should examine the list of security
holes patched below in case they are particularly vulnerable.

    CVE-2015-0241 Buffer overruns in "to_char" functions.
    CVE-2015-0242 Buffer overrun in replacement printf family of functions.
    CVE-2015-0243 Memory errors in functions in the pgcrypto extension.
    CVE-2015-0244 An error in extended protocol message reading.
    CVE-2014-8161 Constraint violation errors can cause display of
    values in columns which the user would not normally have rights to
    see.

This update also fixes the previously reported problem that, during
regression testing on Windows, the test postmaster process was
vulnerable to unauthorized connections. This vulnerability was fixed on
non-Windows platforms in the prior update releases.

More information about these issues, as well as older patched issues, is
available on the PostgreSQL Security Page.

JSON and JSONB Unicode Escapes

...

Other Fixes and Improvements

...

[Fernando de Oliveira]

Fixed at r15456.