postgresql 7.4.7-2ubuntu2.3 source package in Ubuntu
Changelog
postgresql (7.4.7-2ubuntu2.3) hoary-security; urgency=low * SECURITY UPDATE: Remote SQL injection. * Add debian/patches/54reject-invalid-encoding.patch: - Change the backend to reject strings containing invalidly-encoded multibyte characters in all cases. Formerly we mostly just threw warnings for invalid input, and failed to detect it at all if no encoding conversion was required. The tighter check is needed to defend against SQL-injection attacks. - Also, fix a few longstanding errors in little-used encoding conversion routines: win1251_to_iso, win866_to_iso, euc_tw_to_big5, euc_tw_to_mic, mic_to_euc_tw were all broken to varying extents. - Patch backported from 8.0.8. - CVE-2006-2313 * Add debian/patches/55backslash_quote-guc.patch: - Add a new GUC parameter backslash_quote, which determines whether the SQL parser will allow "\'" to be used to represent a literal quote mark. The "\'" representation has been deprecated for some time in favor of the SQL-standard representation "''" (two single quote marks), but it has been used often enough that just disallowing it immediately won't do. Hence backslash_quote allows the settings "on", "off", and "safe_encoding", the last meaning to allow "\'" only if client_encoding is a valid server encoding. That is now the default, and the reason is that in encodings such as SJIS that allow 0x5c (ASCII backslash) to be the last byte of a multibyte character, accepting "\'" allows SQL-injection attacks. - The "on" setting is available for backward compatibility, but it must not be used with clients that are exposed to untrusted input. - Patch backported from 8.0.8. - CVE-2006-2314 * Add debian/patches/56quote-escaping.patch: - Change escaping from \' to '' throughout the code (in client programs and contrib modules). - Patch backported from 8.0.8. * Add debian/patches/57libpq-string-escaping.patch: - Modify libpq's string-escaping routines to be aware of encoding considerations and standard_conforming_strings. The encoding changes are needed for proper escaping in multibyte encodings, as per the SQL-injection vulnerabilities noted in CVE-2006-2313 and CVE-2006-2314. - Since the existing API of PQescapeString and PQescapeBytea provides no way to inform them which settings are in use, these functions are now deprecated in favor of new functions PQescapeStringConn and PQescapeByteaConn. The new functions take the PGconn to which the string will be sent as an additional parameter, and look inside the connection structure to determine what to do. So as to provide some functionality for clients using the old functions, libpq stores the latest encoding and standard_conforming_strings values received from the backend in static variables, and the old functions consult these variables. This will work reliably in clients using only one Postgres connection at a time, or even multiple connections if they all use the same encoding and string syntax settings; which should cover many practical scenarios. - Clients that use homebrew escaping methods, such as PHP's addslashes() function or even hardwired regexp substitution, will require extra effort to fix :-(. It is strongly recommended that such code be replaced by use of PQescapeStringConn/PQescapeByteaConn if at all feasible. - Patch backported from 8.0.8. * Add debian/patches/58indexscan-duplicate-tuples.patch: - Fix nasty bug in nodeIndexscan.c's detection of duplicate tuples during a multiple (OR'ed) indexscan. It was checking for duplicate tuple->t_data->t_ctid, when what it should be checking is tuple->t_self. - Patch backported from 8.0.8. -- Martin Pitt <email address hidden> Wed, 24 May 2006 17:33:01 +0000
Upload details
- Uploaded by:
- Martin Pitt
- Uploaded to:
- Hoary
- Original maintainer:
- Martin Pitt
- Architectures:
- any
- Section:
- misc
- Urgency:
- Low Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
postgresql_7.4.7.orig.tar.gz | 9.5 MiB | dbf67fb23bfb3fcd91e0c4c6182e83de1942dcd868a60b2955787aee1cf46147 |
postgresql_7.4.7-2ubuntu2.3.diff.gz | 179.1 KiB | 35d601f217aabf071bedf32899c3f42573846bbe1769e9468e6218ef5e35532b |
postgresql_7.4.7-2ubuntu2.3.dsc | 991 bytes | f2f98cc78349ce163747bf26ef47c0d902f283076321929af336632bf3d32fba |
Binary packages built by this source
- libecpg-dev: No summary available for libecpg-dev in ubuntu hoary.
No description available for libecpg-dev in ubuntu hoary.
- libecpg4: No summary available for libecpg4 in ubuntu hoary.
No description available for libecpg4 in ubuntu hoary.
- libpgtcl: No summary available for libpgtcl in ubuntu hoary.
No description available for libpgtcl in ubuntu hoary.
- libpgtcl-dev: No summary available for libpgtcl-dev in ubuntu hoary.
No description available for libpgtcl-dev in ubuntu hoary.
- libpq3: No summary available for libpq3 in ubuntu hoary.
No description available for libpq3 in ubuntu hoary.
- postgresql: No summary available for postgresql in ubuntu hoary.
No description available for postgresql in ubuntu hoary.
- postgresql-client: No summary available for postgresql-client in ubuntu hoary.
No description available for postgresql-client in ubuntu hoary.
- postgresql-contrib: No summary available for postgresql-contrib in ubuntu hoary.
No description available for postgresql-contrib in ubuntu hoary.
- postgresql-dev: No summary available for postgresql-dev in ubuntu hoary.
No description available for postgresql-dev in ubuntu hoary.
- postgresql-doc: No summary available for postgresql-doc in ubuntu hoary.
No description available for postgresql-doc in ubuntu hoary.