postgresql-9.5.1

[Fernando de Oliveira]

Security Fixes ¶

CVE-2016-0773, CVE-2016-0766

​http://www.postgresql.org/about/news/1644/

Security Fixes for Regular Expressions, PL/Java

This release closes security hole CVE-2016-0773, an issue with regular
expression (regex) parsing. Prior code allowed users to pass in
expressions which included out-of-range Unicode characters, triggering a
backend crash. This issue is critical for PostgreSQL systems with
untrusted users or which generate regexes based on user input.

The update also fixes CVE-2016-0766, a privilege escalation issue for
users of PL/Java. Certain custom configuration settings (GUCS) for
PL/Java will now be modifiable only by the database superuser.

​http://ftp.postgresql.org/pub/source/v9.5.1/postgresql-9.5.1.tar.bz2

​http://ftp.postgresql.org/pub/source/v9.5.1/postgresql-9.5.1.tar.bz2.md5

11e037afaa4bd0c90bb3c3d955e2b401 postgresql-9.5.1.tar.bz2

​http://www.postgresql.org/about/news/1644/

2016-02-11 Security Update Release
Posted on Feb. 11, 2016

The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 9.5.1, 9.4.6,
9.3.11, 9.2.15, and 9.1.20. This release fixes two security issues, as
well as several bugs found over the last four months. Users vulnerable
to the security issues should update their installations immediately;
other users should update at the next scheduled downtime.

Security Fixes for Regular Expressions, PL/Java

This release closes security hole CVE-2016-0773, an issue with regular
expression (regex) parsing. Prior code allowed users to pass in
expressions which included out-of-range Unicode characters, triggering a
backend crash. This issue is critical for PostgreSQL systems with
untrusted users or which generate regexes based on user input.

The update also fixes CVE-2016-0766, a privilege escalation issue for
users of PL/Java. Certain custom configuration settings (GUCS) for
PL/Java will now be modifiable only by the database superuser.

Other Fixes and Improvements

In addition to the above, many other issues were patched in this release
based on bugs reported by our users over the last few months. This
includes multiple fixes for new features introduced in version 9.5.0, as
well as refactoring of pg_dump to eliminate a number of chronic issues
with backing up EXTENSIONs. Among them are:

      • Fix many issues in pg_dump with specific object types
      • Prevent over-eager pushdown of HAVING clauses for GROUPING SETS
      • Fix deparsing error with ON CONFLICT ... WHERE clauses
      • Fix tableoid errors for postgres_fdw
      • Prevent floating-point exceptions in pgbench
      • Make \det search Foreign Table names consistently
      • Fix quoting of domain constraint names in pg_dump
      • Prevent putting expanded objects into Const nodes
      • Allow compile of PL/Java on Windows
      • Fix "unresolved symbol" errors in PL/Python execution
      • Allow Python2 and Python3 to be used in the same database
      • Add support for Python 3.5 in PL/Python
      • Fix issue with subdirectory creation during initdb
      • Make pg_ctl report status correctly on Windows
      • Suppress confusing error when using pg_receivexlog with older
        servers
      • Multiple documentation corrections and additions
      • Fix erroneous hash calculations in gin_extract_jsonb_path()

This update also contains tzdata release 2016a, with updates for Cayman
Islands, Metlakatla, Trans-Baikal Territory (Zabaykalsky Krai), and
Pakistan.

​http://www.postgresql.org/docs/current/static/release-9-5-1.html

E.1. Release 9.5.1

    Release Date: 2016-02-11

This release contains a variety of fixes from 9.5.0. For information
about new features in the 9.5 major release, see Section E.2.

E.1.1. Migration to Version 9.5.1

A dump/restore is not required for those running 9.5.X.

E.1.2. Changes

   • Fix infinite loops and buffer-overrun problems in regular
     expressions (Tom Lane)

     Very large character ranges in bracket expressions could cause
     infinite loops in some cases, and memory overwrites in other cases.
     (CVE-2016-0773)

   • Fix an oversight that caused hash joins to miss joining to some
     tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)

   • Avoid pushdown of HAVING clauses when grouping sets are used
     (Andrew Gierth)

   • Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter
     Geoghegan)

   • Make %h and %r escapes in log_line_prefix work for messages emitted
     due to log_connections (Tom Lane)

     Previously, %h/%r started to work just after a new session had
     emitted the "connection received" log message; now they work for
     that message too.

   • Avoid leaking a token handle during SSPI authentication (Christian
     Ullrich)

   • Fix psql's \det command to interpret its pattern argument the same
     way as other \d commands with potentially schema-qualified patterns
     do (Reece Hart)

   • In pg_ctl on Windows, check service status to decide where to send
     output, rather than checking if standard output is a terminal
     (Michael Paquier)

   • Fix assorted corner-case bugs in pg_dump's processing of extension
     member objects (Tom Lane)

   • Fix improper quoting of domain constraint names in pg_dump (Elvis
     Pranskevichus)

   • Make pg_dump mark a view's triggers as needing to be processed
     after its rule, to prevent possible failure during parallel
     pg_restore (Tom Lane)

   • Install guards in pgbench against corner-case overflow conditions
     during evaluation of script-specified division or modulo operators
     (Fabien Coelho, Michael Paquier)

   • Suppress useless warning message when pg_receivexlog connects to a
     pre-9.4 server (Marco Nenciarini)

   • Avoid dump/reload problems when using both plpython2 and plpython3
     (Tom Lane)

     In principle, both versions of PL/Python can be used in the same
     database, though not in the same session (because the two versions
     of libpython cannot safely be used concurrently). However,
     pg_restore and pg_upgrade both do things that can fall foul of the
     same-session restriction. Work around that by changing the timing
     of the check.

   • Fix PL/Python regression tests to pass with Python 3.5 (Peter
     Eisentraut)

   • Prevent certain PL/Java parameters from being set by non-superusers
     (Noah Misch)

     This change mitigates a PL/Java security bug (CVE-2016-0766), which
     was fixed in PL/Java by marking these parameters as superuser-only.
     To fix the security hazard for sites that update PostgreSQL more
     frequently than PL/Java, make the core code aware of them also.

   • Fix ecpg-supplied header files to not contain comments continued
     from a preprocessor directive line onto the next line (Michael
     Meskes)

     Such a comment is rejected by ecpg. It's not yet clear whether ecpg
     itself should be changed.

   • Fix hstore_to_json_loose()'s test for whether an hstore value can
     be converted to a JSON number (Tom Lane)

     Previously this function could be fooled by non-alphanumeric
     trailing characters, leading to emitting syntactically-invalid
     JSON.

   • In contrib/postgres_fdw, fix bugs triggered by use of tableoid in
     data-modifying commands (Etsuro Fujita, Robert Haas)

   • Fix ill-advised restriction of NAMEDATALEN to be less than 256
     (Robert Haas, Tom Lane)

   • Improve reproducibility of build output by ensuring filenames are
     given to the linker in a fixed order (Christoph Berg)

     This avoids possible bitwise differences in the produced executable
     files from one build to the next.

   • Ensure that dynloader.h is included in the installed header files
     in MSVC builds (Bruce Momjian, Michael Paquier)

   • Update time zone data files to tzdata release 2016a for DST law
     changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory
     (Zabaykalsky Krai), plus historical corrections for Pakistan.

[Fernando de Oliveira]

Fixed at r16954.