postgresql-9.3 9.3.3-1 source package in Ubuntu
Changelog
postgresql-9.3 (9.3.3-1) unstable; urgency=medium [ Christoph Berg ] * New upstream security/bugfix release. + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) + Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) + Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) + Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) + Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066) + Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) + Rework tuple freezing protocol (Álvaro Herrera, Andres Freund) The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough. Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.) * The upstream tarballs no longer contain a plain HISTORY file, but point to the html documentation. Note the location of these files in our changelog.gz file. * Teach configure to find tclsh8.6 where tclsh is not available. [ Martin Pitt ] * Build with LINUX_OOM_SCORE_ADJ=0 instead of the older LINUX_OOM_ADJ=0. All relevant distro releases (>= squeeze/lucid) use kernels which support /proc/pid/oom_score_adj, so avoid the dmesg warnings. (Closes: #646245, LP: #991725) * Bump Standards-Version to 3.9.5 (no changes necessary). * Build with tcl8.6 where available (>= Jessie, >= trusty). -- Christoph Berg <email address hidden> Wed, 19 Feb 2014 10:15:39 +0100
Upload details
- Uploaded by:
- Debian PostgreSQL Maintainers
- Uploaded to:
- Sid
- Original maintainer:
- Debian PostgreSQL Maintainers
- Architectures:
- any all
- Section:
- misc
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
postgresql-9.3_9.3.3-1.dsc | 3.2 KiB | 997b1ec43e470705ebc11663362ca78916a21d57d3c794f8e543d17bea5901ff |
postgresql-9.3_9.3.3.orig.tar.bz2 | 15.9 MiB | e925d8abe7157bd8bece6b7c0dd0c343d87a2b4336f85f4681ce596af99c3879 |
postgresql-9.3_9.3.3-1.debian.tar.xz | 26.7 KiB | 20ea4657355dc2f4268718fbced1b14ca7a1bdb81a5676e90f10fb8a2d4dd018 |
Available diffs
No changes file available.
Binary packages built by this source
- libecpg-compat3: older version of run-time library for ECPG programs
The libecpg_compat shared library is used by programs built with ecpg.
(Embedded PostgreSQL for C).
.
PostgreSQL is an object-relational SQL database management system.
- libecpg-dev: development files for ECPG (Embedded PostgreSQL for C)
This package contains the necessary files to build ECPG (Embedded
PostgreSQL for C) programs. It includes the development libraries
and the preprocessor program ecpg.
.
PostgreSQL is an object-relational SQL database management system.
.
Install this package if you want to write C programs with SQL statements
embedded in them (rather than run by an external process).
- libecpg6: run-time library for ECPG programs
The libecpg shared library is used by programs built with ECPG
(Embedded PostgreSQL for C).
.
PostgreSQL is an object-relational SQL database management system.
- libpgtypes3: shared library libpgtypes for PostgreSQL 9.3
The libpgtypes shared library is used by programs built with ecpg.
(Embedded PostgreSQL for C).
.
PostgreSQL is an object-relational SQL database management system.
- libpq-dev: header files for libpq5 (PostgreSQL library)
Header files and static library for compiling C programs to link
with the libpq library in order to communicate with a PostgreSQL
database backend.
.
PostgreSQL is an object-relational SQL database management system.
- libpq5: PostgreSQL C client library
libpq is a C library that enables user programs to communicate with
the PostgreSQL database server. The server can be on another machine
and accessed through TCP/IP. This version of libpq is compatible
with servers from PostgreSQL 8.2 or later.
.
This package contains the run-time library, needed by packages using
libpq.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-9.3: object-relational SQL database, version 9.3 server
PostgreSQL is a fully featured object-relational database management
system. It supports a large part of the SQL standard and is designed
to be extensible by users in many aspects. Some of the features are:
ACID transactions, foreign keys, views, sequences, subqueries,
triggers, user-defined types and functions, outer joins, multiversion
concurrency control. Graphical user interfaces and bindings for many
programming languages are available as well.
.
This package provides the database server for PostgreSQL 9.3. Servers
for other major release versions can be installed simultaneously and
are coordinated by the postgresql-common package. A package providing
ident-server is needed if you want to authenticate remote connections
with identd.
- postgresql-9.3-dbg: debug symbols for postgresql-9.3
PostgreSQL is a fully featured object-relational database management
system. It supports a large part of the SQL standard and is designed
to be extensible by users in many aspects. Some of the features are:
ACID transactions, foreign keys, views, sequences, subqueries,
triggers, user-defined types and functions, outer joins, multiversion
concurrency control. Graphical user interfaces and bindings for many
programming languages are available as well.
.
This package provides detached debugging symbols for PostgreSQL 9.3.
- postgresql-client-9.3: front-end programs for PostgreSQL 9.3
This package contains client and administrative programs for
PostgreSQL: these are the interactive terminal client psql and
programs for creating and removing users and databases.
.
This is the client package for PostgreSQL 9.3. If you install
PostgreSQL 9.3 on a standalone machine, you need the server package
postgresql-9.3, too. On a network, you can install this package on
many client machines, while the server package may be installed on
only one machine.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-contrib-9.3: additional facilities for PostgreSQL
The PostgreSQL contrib package provides several additional features
for the PostgreSQL database. This version is built to work with the
server package postgresql-9.3. contrib often serves as a testbed for
features before they are adopted into PostgreSQL proper:
.
adminpack - File and log manipulation routines, used by pgAdmin
btree_gist - B-Tree indexing using GiST (Generalised Search Tree)
chkpass - An auto-encrypted password datatype
cube - Multidimensional-cube datatype (GiST indexing example)
dblink - Functions to return results from a remote database
earthdistance - Operator for computing the distance (in miles) between
two points on the earth's surface
fuzzystrmatch - Levenshtein, metaphone, and soundex fuzzy string matching
hstore - Store (key, value) pairs
intagg - Integer aggregator/enumerator
_int - Index support for arrays of int4, using GiST (benchmark
needs the libdbd-pg-perl package)
isn - type extensions for ISBN, ISSN, ISMN, EAN13 product numbers
lo - Large Object maintenance
ltree - Tree-like data structures
oid2name - Maps OIDs to table names
pageinspect - Inspection of database pages
passwordcheck - Simple password strength checker
pg_buffercache - Real time queries on the shared buffer cache
pg_freespacemap- Displays the contents of the free space map (FSM)
pg_trgm - Determine the similarity of text based on trigram matching
pg_standby - Create a warm stand-by server
pgbench - TPC-B like benchmark
pgcrypto - Cryptographic functions
pgrowlocks - A function to return row locking information
pgstattuple - Returns the percentage of dead tuples in a table; this
indicates whether a vacuum is required.
postgresql_fwd - foreign data wrapper for PostgreSQL
seg - Confidence-interval datatype (GiST indexing example)
spi - PostgreSQL Server Programming Interface; 4 examples of
its use:
autoinc - A function for implementing AUTOINCREMENT/
IDENTITY
insert_ username - function for inserting user names
moddatetim e - Update modification timestamps
refint - Functions for implementing referential
integrity (foreign keys). Note that this is
now superseded by built-in referential
integrity.
timetravel - Re-implements in user code the time travel
feature that was removed in 6.3.
tablefunc - examples of functions returning tables
uuid-ossp - UUID generation functions
vacuumlo - Remove orphaned large objects
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-doc-9.3: documentation for the PostgreSQL database management system
This package contains all README files, user manual, and examples for
PostgreSQL 9.3. The manual is in HTML format.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-plperl-9.3: PL/Perl procedural language for PostgreSQL 9.3
PL/Perl enables an SQL developer to write procedural language functions
for PostgreSQL 9.3 in Perl. You need this package if you have any
PostgreSQL 9.3 functions that use the languages plperl or plperlu.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-plpython-9.3: PL/Python procedural language for PostgreSQL 9.3
PL/Python enables an SQL developer to write procedural language functions
for PostgreSQL 9.3 in Python. You need this package if you have any
PostgreSQL 9.3 functions that use the languages plpython or plpythonu.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-plpython3-9.3: PL/Python 3 procedural language for PostgreSQL 9.3
PL/Python 3 enables an SQL developer to write procedural language functions
for PostgreSQL 9.3 in Python 3. You need this package if you have any
PostgreSQL 9.3 functions that use the languages plpython3 or plpython3u.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-pltcl-9.3: PL/Tcl procedural language for PostgreSQL 9.3
PL/Tcl enables an SQL developer to write procedural language functions
for PostgreSQL 9.3 in Tcl. You need this package if you have any
PostgreSQL 9.3 functions that use the languages pltcl or pltclu.
.
PostgreSQL is an object-relational SQL database management system.
- postgresql-server-dev-9.3: development files for PostgreSQL 9.3 server-side programming
Header files for compiling SSI code to link into PostgreSQL's backend; for
example, for C functions to be called from SQL.
.
This package also contains the Makefiles necessary for building add-on
modules of PostgreSQL, which would otherwise have to be built in the
PostgreSQL source-code tree.
.
PostgreSQL is an object-relational SQL database management system.