PostgreSQL 发布全系重要安全补丁
jopen 12年前
<p><strong>PostgreSQL</strong> 是一个自由的<span class="new">对象-关系数据库</span>服务器(数据库管理系统),它在灵活的 BSD-风格许可证下发行。它提供了相对其他开放源代码数据库系统(比如 MySQL 和 Firebird),和对专有系统比如 Oracle、<span class="new">Sybase</span>、IBM 的 <span class="new">DB2</span> 和 Microsoft SQL Server的一种选择。<br /> <br /> PostgreSQL 全球开发组今天发布了全系的安全更新版本,包括:<a href="/misc/goto?guid=4958342758053444101">9.1.4</a>, <a href="/misc/goto?guid=4958342758851480085">9.0.8</a>, <a href="/misc/goto?guid=4958342759649834345">8.4.12</a> and <a href="/misc/goto?guid=4958342760457968319">8.3.19</a>.</p> <p>如果你使用了 pg_crypto 模块中的 crypt(text,text) 函数用于 DES 加密的话,那你应该立即更新到最新版本。</p> <p>其中 9.1 版本修复的 bug 包括:</p> <ul> <li>Fix <code>citext</code> upgrade script for collations of <code>citext</code> arrays and domains over <code>citext</code></li> <li>Fixes for timezone handling</li> <li>Fix <code>text</code> or <code>char</code> to <code>name</code> casts to perform string truncation correctly in multibyte encodings</li> <li>Fix memory copying bug in <code>to_tsquery()</code></li> <li>Ensure <code>txid_current()</code> reports the correct epoch when executed in hot standby</li> <li>Fix planner’s handling of sub-<code>SELECTS</code> referencing variables coming from the nullable side of an outer join of the surrounding query</li> <li>Fix planning of <code>UNION ALL</code> subqueries with output columns that are not simple variables</li> <li>Fix slow session startup when <code>pg_attribute</code> is very large</li> <li>Ensure sequential scans check for query cancel reasonably often</li> <li>Show whole-row variables safely when printing views or rules</li> <li>Fix <code>COPY FROM</code> to properly handle null marker strings that correspond to invalid encoding</li> <li>Fix <code>EXPLAIN VERBOSE</code> for writable CTEs containing <code>RETURNING</code> clauses</li> <li>Fix <code>PREPARE TRANSACTION</code> to work correctly in the presence of advisory locks</li> <li>Fix bugs with temporary or transient tables used in extension scripts</li> <li>Ensure autovacuum worker processes perform stack depth checking properly</li> <li>Fix logging collector to not lose log coherency under high load</li> <li>Fix logging collector to ensure it will restart file rotation after receiving <code>SIGHUP</code></li> <li>Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped</li> <li>Avoid synchronous replication delay when committing a transaction that only modified temporary tables</li> </ul> <p>包含两个安全补丁:</p> <ul> <li><a href="/misc/goto?guid=4958342761259470847">CVE-2012-2143</a>: Fix incorrect password transformation in contrib/pgcrypto’s DES <code>crypt()</code> function</li> <li><a href="/misc/goto?guid=4958342762062116223">CVE-2012-2655</a>: Ignore <code>SECURITY DEFINER</code> and <code>SET</code> attributes for a procedural language’s call handler</li> </ul> <p>这个漏洞会直接导致服务器挂机,而且影响到所有的 PostgreSQL 版本。</p> <p>关于此漏洞的更详细描述请看<a href="/misc/goto?guid=4958342762860195868" target="_blank">发行说明</a>。</p> <p>下载地址:<a href="/misc/goto?guid=4958186412010529676">download page</a>.</p>