postgresql-9.3 9.3.3-1 source package in Ubuntu

Changelog

postgresql-9.3 (9.3.3-1) unstable; urgency=medium


  [ Christoph Berg ]
  * New upstream security/bugfix release.

    + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

      Granting a role without ADMIN OPTION is supposed to prevent the grantee
      from adding or removing members from the granted role, but this
      restriction was easily bypassed by doing SET ROLE first. The security
      impact is mostly that a role member can revoke the access of others,
      contrary to the wishes of his grantor. Unapproved role member additions
      are a lesser concern, since an uncooperative role member could provide
      most of his rights to others anyway by creating views or SECURITY
      DEFINER functions. (CVE-2014-0060)

    + Prevent privilege escalation via manual calls to PL validator functions
      (Andres Freund)

      The primary role of PL validator functions is to be called implicitly
      during CREATE FUNCTION, but they are also normal SQL functions that a
      user can call explicitly. Calling a validator on a function actually
      written in some other language was not checked for and could be
      exploited for privilege-escalation purposes. The fix involves adding a
      call to a privilege-checking function in each validator function.
      Non-core procedural languages will also need to make this change to
      their own validator functions, if any. (CVE-2014-0061)

    + Avoid multiple name lookups during table and index DDL (Robert Haas,
      Andres Freund)

      If the name lookups come to different conclusions due to concurrent
      activity, we might perform some parts of the DDL on a different table
      than other parts. At least in the case of CREATE INDEX, this can be used
      to cause the permissions checks to be performed against a different
      table than the index creation, allowing for a privilege escalation
      attack. (CVE-2014-0062)

    + Prevent buffer overrun with long datetime strings (Noah Misch)

      The MAXDATELEN constant was too small for the longest possible value of
      type interval, allowing a buffer overrun in interval_out(). Although the
      datetime input functions were more careful about avoiding buffer
      overrun, the limit was short enough to cause them to reject some valid
      inputs, such as input containing a very long timezone name. The ecpg
      library contained these vulnerabilities along with some of its own.
      (CVE-2014-0063)

    + Prevent buffer overrun due to integer overflow in size calculations
      (Noah Misch, Heikki Linnakangas)

      Several functions, mostly type input functions, calculated an allocation
      size without checking for overflow. If overflow did occur, a too-small
      buffer would be allocated and then written past. (CVE-2014-0064)

    + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

      Use strlcpy() and related functions to provide a clear guarantee that
      fixed-size buffers are not overrun. Unlike the preceding items, it is
      unclear whether these cases really represent live issues, since in most
      cases there appear to be previous constraints on the size of the input
      string. Nonetheless it seems prudent to silence all Coverity warnings of
      this type. (CVE-2014-0065)

    + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

      There are relatively few scenarios in which crypt() could return NULL,
      but contrib/chkpass would crash if it did. One practical case in which
      this could be an issue is if libc is configured to refuse to execute
      unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)

    + Document risks of make check in the regression testing instructions
      (Noah Misch, Tom Lane)

      Since the temporary server started by make check uses "trust"
      authentication, another user on the same machine could connect to it as
      database superuser, and then potentially exploit the privileges of the
      operating-system user who started the tests. A future release will
      probably incorporate changes in the testing procedure to prevent this
      risk, but some public discussion is needed first. So for the moment,
      just warn people against using make check when there are untrusted users
      on the same machine. (CVE-2014-0067)

    + Rework tuple freezing protocol (Álvaro Herrera, Andres Freund)

      The logic for tuple freezing was unable to handle some cases involving
      freezing of multixact IDs, with the practical effect that shared
      row-level locks might be forgotten once old enough.

      Fixing this required changing the WAL record format for tuple freezing.
      While this is no issue for standalone servers, when using replication it
      means that standby servers must be upgraded to 9.3.3 or later before
      their masters are. An older standby will be unable to interpret freeze
      records generated by a newer master, and will fail with a PANIC message.
      (In such a case, upgrading the standby should be sufficient to let it
      resume execution.)

  * The upstream tarballs no longer contain a plain HISTORY file, but point to
    the html documentation. Note the location of these files in our
    changelog.gz file.
  * Teach configure to find tclsh8.6 where tclsh is not available.

  [ Martin Pitt ]
  * Build with LINUX_OOM_SCORE_ADJ=0 instead of the older LINUX_OOM_ADJ=0. All
    relevant distro releases (>= squeeze/lucid) use kernels which support
    /proc/pid/oom_score_adj, so avoid the dmesg warnings. (Closes: #646245,
    LP: #991725)
  * Bump Standards-Version to 3.9.5 (no changes necessary).
  * Build with tcl8.6 where available (>= Jessie, >= trusty).

 -- Christoph Berg <email address hidden>  Wed, 19 Feb 2014 10:15:39 +0100

Upload details

Uploaded by:
Debian PostgreSQL Maintainers
Uploaded to:
Sid
Original maintainer:
Debian PostgreSQL Maintainers
Architectures:
any all
Section:
misc
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
postgresql-9.3_9.3.3-1.dsc 3.2 KiB 997b1ec43e470705ebc11663362ca78916a21d57d3c794f8e543d17bea5901ff
postgresql-9.3_9.3.3.orig.tar.bz2 15.9 MiB e925d8abe7157bd8bece6b7c0dd0c343d87a2b4336f85f4681ce596af99c3879
postgresql-9.3_9.3.3-1.debian.tar.xz 26.7 KiB 20ea4657355dc2f4268718fbced1b14ca7a1bdb81a5676e90f10fb8a2d4dd018

No changes file available.

Binary packages built by this source

libecpg-compat3: older version of run-time library for ECPG programs

 The libecpg_compat shared library is used by programs built with ecpg.
 (Embedded PostgreSQL for C).
 .
 PostgreSQL is an object-relational SQL database management system.

libecpg-dev: development files for ECPG (Embedded PostgreSQL for C)

 This package contains the necessary files to build ECPG (Embedded
 PostgreSQL for C) programs. It includes the development libraries
 and the preprocessor program ecpg.
 .
 PostgreSQL is an object-relational SQL database management system.
 .
 Install this package if you want to write C programs with SQL statements
 embedded in them (rather than run by an external process).

libecpg6: run-time library for ECPG programs

 The libecpg shared library is used by programs built with ECPG
 (Embedded PostgreSQL for C).
 .
 PostgreSQL is an object-relational SQL database management system.

libpgtypes3: shared library libpgtypes for PostgreSQL 9.3

 The libpgtypes shared library is used by programs built with ecpg.
 (Embedded PostgreSQL for C).
 .
 PostgreSQL is an object-relational SQL database management system.

libpq-dev: header files for libpq5 (PostgreSQL library)

 Header files and static library for compiling C programs to link
 with the libpq library in order to communicate with a PostgreSQL
 database backend.
 .
 PostgreSQL is an object-relational SQL database management system.

libpq5: PostgreSQL C client library

 libpq is a C library that enables user programs to communicate with
 the PostgreSQL database server. The server can be on another machine
 and accessed through TCP/IP. This version of libpq is compatible
 with servers from PostgreSQL 8.2 or later.
 .
 This package contains the run-time library, needed by packages using
 libpq.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-9.3: object-relational SQL database, version 9.3 server

 PostgreSQL is a fully featured object-relational database management
 system. It supports a large part of the SQL standard and is designed
 to be extensible by users in many aspects. Some of the features are:
 ACID transactions, foreign keys, views, sequences, subqueries,
 triggers, user-defined types and functions, outer joins, multiversion
 concurrency control. Graphical user interfaces and bindings for many
 programming languages are available as well.
 .
 This package provides the database server for PostgreSQL 9.3. Servers
 for other major release versions can be installed simultaneously and
 are coordinated by the postgresql-common package. A package providing
 ident-server is needed if you want to authenticate remote connections
 with identd.

postgresql-9.3-dbg: debug symbols for postgresql-9.3

 PostgreSQL is a fully featured object-relational database management
 system. It supports a large part of the SQL standard and is designed
 to be extensible by users in many aspects. Some of the features are:
 ACID transactions, foreign keys, views, sequences, subqueries,
 triggers, user-defined types and functions, outer joins, multiversion
 concurrency control. Graphical user interfaces and bindings for many
 programming languages are available as well.
 .
 This package provides detached debugging symbols for PostgreSQL 9.3.

postgresql-client-9.3: front-end programs for PostgreSQL 9.3

 This package contains client and administrative programs for
 PostgreSQL: these are the interactive terminal client psql and
 programs for creating and removing users and databases.
 .
 This is the client package for PostgreSQL 9.3. If you install
 PostgreSQL 9.3 on a standalone machine, you need the server package
 postgresql-9.3, too. On a network, you can install this package on
 many client machines, while the server package may be installed on
 only one machine.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-contrib-9.3: additional facilities for PostgreSQL

 The PostgreSQL contrib package provides several additional features
 for the PostgreSQL database. This version is built to work with the
 server package postgresql-9.3. contrib often serves as a testbed for
 features before they are adopted into PostgreSQL proper:
 .
  adminpack - File and log manipulation routines, used by pgAdmin
  btree_gist - B-Tree indexing using GiST (Generalised Search Tree)
  chkpass - An auto-encrypted password datatype
  cube - Multidimensional-cube datatype (GiST indexing example)
  dblink - Functions to return results from a remote database
  earthdistance - Operator for computing the distance (in miles) between
                   two points on the earth's surface
  fuzzystrmatch - Levenshtein, metaphone, and soundex fuzzy string matching
  hstore - Store (key, value) pairs
  intagg - Integer aggregator/enumerator
  _int - Index support for arrays of int4, using GiST (benchmark
                   needs the libdbd-pg-perl package)
  isn - type extensions for ISBN, ISSN, ISMN, EAN13 product numbers
  lo - Large Object maintenance
  ltree - Tree-like data structures
  oid2name - Maps OIDs to table names
  pageinspect - Inspection of database pages
  passwordcheck - Simple password strength checker
  pg_buffercache - Real time queries on the shared buffer cache
  pg_freespacemap- Displays the contents of the free space map (FSM)
  pg_trgm - Determine the similarity of text based on trigram matching
  pg_standby - Create a warm stand-by server
  pgbench - TPC-B like benchmark
  pgcrypto - Cryptographic functions
  pgrowlocks - A function to return row locking information
  pgstattuple - Returns the percentage of dead tuples in a table; this
                   indicates whether a vacuum is required.
  postgresql_fwd - foreign data wrapper for PostgreSQL
  seg - Confidence-interval datatype (GiST indexing example)
  spi - PostgreSQL Server Programming Interface; 4 examples of
                   its use:
                   autoinc - A function for implementing AUTOINCREMENT/
                                IDENTITY
                   insert_username - function for inserting user names
                   moddatetime - Update modification timestamps
                   refint - Functions for implementing referential
                                integrity (foreign keys). Note that this is
                                now superseded by built-in referential
                                integrity.
                   timetravel - Re-implements in user code the time travel
                                feature that was removed in 6.3.
  tablefunc - examples of functions returning tables
  uuid-ossp - UUID generation functions
  vacuumlo - Remove orphaned large objects
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-doc-9.3: documentation for the PostgreSQL database management system

 This package contains all README files, user manual, and examples for
 PostgreSQL 9.3. The manual is in HTML format.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-plperl-9.3: PL/Perl procedural language for PostgreSQL 9.3

 PL/Perl enables an SQL developer to write procedural language functions
 for PostgreSQL 9.3 in Perl. You need this package if you have any
 PostgreSQL 9.3 functions that use the languages plperl or plperlu.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-plpython-9.3: PL/Python procedural language for PostgreSQL 9.3

 PL/Python enables an SQL developer to write procedural language functions
 for PostgreSQL 9.3 in Python. You need this package if you have any
 PostgreSQL 9.3 functions that use the languages plpython or plpythonu.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-plpython3-9.3: PL/Python 3 procedural language for PostgreSQL 9.3

 PL/Python 3 enables an SQL developer to write procedural language functions
 for PostgreSQL 9.3 in Python 3. You need this package if you have any
 PostgreSQL 9.3 functions that use the languages plpython3 or plpython3u.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-pltcl-9.3: PL/Tcl procedural language for PostgreSQL 9.3

 PL/Tcl enables an SQL developer to write procedural language functions
 for PostgreSQL 9.3 in Tcl. You need this package if you have any
 PostgreSQL 9.3 functions that use the languages pltcl or pltclu.
 .
 PostgreSQL is an object-relational SQL database management system.

postgresql-server-dev-9.3: development files for PostgreSQL 9.3 server-side programming

 Header files for compiling SSI code to link into PostgreSQL's backend; for
 example, for C functions to be called from SQL.
 .
 This package also contains the Makefiles necessary for building add-on
 modules of PostgreSQL, which would otherwise have to be built in the
 PostgreSQL source-code tree.
 .
 PostgreSQL is an object-relational SQL database management system.