postgresql-8.1 8.1.11-0ubuntu0.6.10.1 source package in Ubuntu

Changelog

postgresql-8.1 (8.1.11-0ubuntu0.6.10.1) edgy-security; urgency=low

  * New upstream security/bugfix release:
    - Prevent functions in indexes from executing with the privileges of
      the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden
      within a SECURITY DEFINER context. [CVE-2007-6600]
    - Suitably crafted regular-expression patterns could cause crashes,
      infinite or near-infinite looping, and/or massive memory
      consumption, all of which pose denial-of-service hazards for
      applications that accept regex search patterns from untrustworthy
      sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
    - Require non-superusers who use "/contrib/dblink" to use only
      password authentication, as a security measure.
      The fix that appeared for this in 8.2.5 was incomplete, as it
      plugged the hole for only some "dblink" functions. [CVE-2007-6601,
      CVE-2007-3278]
    - Fix planner failure in some cases of WHERE false AND var IN (SELECT
      ...).
    - Preserve the tablespace and storage parameters of indexes that are
      rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
    - Make archive recovery always start a new WAL timeline, rather than
      only when a recovery stop time was used. This avoids a corner-case risk
      of trying to overwrite an existing archived copy of the last WAL
      segment, and seems simpler and cleaner than the original definition.
    - Make "VACUUM" not use all of maintenance_work_mem when the table is
      too small for it to be useful.
    - Fix potential crash in translate() when using a multibyte database
      encoding.
    - Fix overflow in extract(epoch from interval) for intervals
      exceeding 68 years.
    - Fix PL/Perl to not fail when a UTF-8 regular expression is used in
      a trusted function.
    - Fix PL/Python to not crash on long exception messages.
    - Fix pg_dump to correctly handle inheritance child tables that have
      default expressions different from their parent's.
    - Fix libpq crash when PGPASSFILE refers to a file that is not a
      plain file.
    - ecpg parser fixes.
    - Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a
      category in its own right, rather than crashing.
    - Fix tsvector and tsquery output routines to escape backslashes
      correctly.
    - Fix crash of to_tsvector() on huge input strings.
  * Use the timezone database from the system tzdata instead of shipping our
    own.
    - debian/patches/04-timezone-symlinks.patch: Drop previous
      hardlink-to-symlink patch to zic, since that is irrelevant now. Replace
      the patch with a Makefile change that just symlinks /usr/share/zoneinfo
      to where postgresql previously installed its own tzdata copy.
    - debian/control: Add tzdata dependency.
    - debian/postgresql-8.1.install: Install the 'timezone' symlink, not the
      files in the dereferenced directory.
    - debian/postgresql-8.1.postinst: Replace the timezone directory with the
      symlink on upgrades, since dpkg does not do that automatically. Without
      this, we'd end up with an empty timezone directory.

 -- Martin Pitt <email address hidden>   Sat, 05 Jan 2008 19:39:17 +0100