Opened 8 years ago
Closed 8 years ago
#7453 closed enhancement (fixed)
postgresql-9.5.1
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.9 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Security Fixes
CVE-2016-0773, CVE-2016-0766
http://www.postgresql.org/about/news/1644/
Security Fixes for Regular Expressions, PL/Java This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input. The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser.
http://ftp.postgresql.org/pub/source/v9.5.1/postgresql-9.5.1.tar.bz2
http://ftp.postgresql.org/pub/source/v9.5.1/postgresql-9.5.1.tar.bz2.md5
11e037afaa4bd0c90bb3c3d955e2b401 postgresql-9.5.1.tar.bz2
http://www.postgresql.org/about/news/1644/
2016-02-11 Security Update Release
Posted on Feb. 11, 2016
The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 9.5.1, 9.4.6,
9.3.11, 9.2.15, and 9.1.20. This release fixes two security issues, as
well as several bugs found over the last four months. Users vulnerable
to the security issues should update their installations immediately;
other users should update at the next scheduled downtime.
Security Fixes for Regular Expressions, PL/Java
This release closes security hole CVE-2016-0773, an issue with regular
expression (regex) parsing. Prior code allowed users to pass in
expressions which included out-of-range Unicode characters, triggering a
backend crash. This issue is critical for PostgreSQL systems with
untrusted users or which generate regexes based on user input.
The update also fixes CVE-2016-0766, a privilege escalation issue for
users of PL/Java. Certain custom configuration settings (GUCS) for
PL/Java will now be modifiable only by the database superuser.
Other Fixes and Improvements
In addition to the above, many other issues were patched in this release
based on bugs reported by our users over the last few months. This
includes multiple fixes for new features introduced in version 9.5.0, as
well as refactoring of pg_dump to eliminate a number of chronic issues
with backing up EXTENSIONs. Among them are:
• Fix many issues in pg_dump with specific object types
• Prevent over-eager pushdown of HAVING clauses for GROUPING SETS
• Fix deparsing error with ON CONFLICT ... WHERE clauses
• Fix tableoid errors for postgres_fdw
• Prevent floating-point exceptions in pgbench
• Make \det search Foreign Table names consistently
• Fix quoting of domain constraint names in pg_dump
• Prevent putting expanded objects into Const nodes
• Allow compile of PL/Java on Windows
• Fix "unresolved symbol" errors in PL/Python execution
• Allow Python2 and Python3 to be used in the same database
• Add support for Python 3.5 in PL/Python
• Fix issue with subdirectory creation during initdb
• Make pg_ctl report status correctly on Windows
• Suppress confusing error when using pg_receivexlog with older
servers
• Multiple documentation corrections and additions
• Fix erroneous hash calculations in gin_extract_jsonb_path()
This update also contains tzdata release 2016a, with updates for Cayman
Islands, Metlakatla, Trans-Baikal Territory (Zabaykalsky Krai), and
Pakistan.
http://www.postgresql.org/docs/current/static/release-9-5-1.html
E.1. Release 9.5.1
Release Date: 2016-02-11
This release contains a variety of fixes from 9.5.0. For information
about new features in the 9.5 major release, see Section E.2.
E.1.1. Migration to Version 9.5.1
A dump/restore is not required for those running 9.5.X.
E.1.2. Changes
• Fix infinite loops and buffer-overrun problems in regular
expressions (Tom Lane)
Very large character ranges in bracket expressions could cause
infinite loops in some cases, and memory overwrites in other cases.
(CVE-2016-0773)
• Fix an oversight that caused hash joins to miss joining to some
tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)
• Avoid pushdown of HAVING clauses when grouping sets are used
(Andrew Gierth)
• Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter
Geoghegan)
• Make %h and %r escapes in log_line_prefix work for messages emitted
due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had
emitted the "connection received" log message; now they work for
that message too.
• Avoid leaking a token handle during SSPI authentication (Christian
Ullrich)
• Fix psql's \det command to interpret its pattern argument the same
way as other \d commands with potentially schema-qualified patterns
do (Reece Hart)
• In pg_ctl on Windows, check service status to decide where to send
output, rather than checking if standard output is a terminal
(Michael Paquier)
• Fix assorted corner-case bugs in pg_dump's processing of extension
member objects (Tom Lane)
• Fix improper quoting of domain constraint names in pg_dump (Elvis
Pranskevichus)
• Make pg_dump mark a view's triggers as needing to be processed
after its rule, to prevent possible failure during parallel
pg_restore (Tom Lane)
• Install guards in pgbench against corner-case overflow conditions
during evaluation of script-specified division or modulo operators
(Fabien Coelho, Michael Paquier)
• Suppress useless warning message when pg_receivexlog connects to a
pre-9.4 server (Marco Nenciarini)
• Avoid dump/reload problems when using both plpython2 and plpython3
(Tom Lane)
In principle, both versions of PL/Python can be used in the same
database, though not in the same session (because the two versions
of libpython cannot safely be used concurrently). However,
pg_restore and pg_upgrade both do things that can fall foul of the
same-session restriction. Work around that by changing the timing
of the check.
• Fix PL/Python regression tests to pass with Python 3.5 (Peter
Eisentraut)
• Prevent certain PL/Java parameters from being set by non-superusers
(Noah Misch)
This change mitigates a PL/Java security bug (CVE-2016-0766), which
was fixed in PL/Java by marking these parameters as superuser-only.
To fix the security hazard for sites that update PostgreSQL more
frequently than PL/Java, make the core code aware of them also.
• Fix ecpg-supplied header files to not contain comments continued
from a preprocessor directive line onto the next line (Michael
Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg
itself should be changed.
• Fix hstore_to_json_loose()'s test for whether an hstore value can
be converted to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric
trailing characters, leading to emitting syntactically-invalid
JSON.
• In contrib/postgres_fdw, fix bugs triggered by use of tableoid in
data-modifying commands (Etsuro Fujita, Robert Haas)
• Fix ill-advised restriction of NAMEDATALEN to be less than 256
(Robert Haas, Tom Lane)
• Improve reproducibility of build output by ensuring filenames are
given to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable
files from one build to the next.
• Ensure that dynloader.h is included in the installed header files
in MSVC builds (Bruce Momjian, Michael Paquier)
• Update time zone data files to tzdata release 2016a for DST law
changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory
(Zabaykalsky Krai), plus historical corrections for Pakistan.
Change History (2)
comment:1 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at r16954.