In https://www.postgresql.org/about/news/1829/
URL links to both CVE-2018-1052 and CVE-2018-1053 give me a 404 error. I am the only one who are getting the error? Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp From: Stephen Frost <sfr...@postgresql.org> Subject: PostgreSQL 2018-02-08 Security Update Release Date: Thu, 8 Feb 2018 08:59:05 -0500 Message-ID: <20180208135905.gq2...@tamriel.snowman.net> > 2018-02-08 Security Update Release > ================================== > > The PostgreSQL Global Development Group has released an update to all > supported > versions of our database system, including 10.2, 9.6.7, 9.5.11, 9.4.16, > 9.3.21. > This release fixes two security issues. This release also fixes issues with > VACUUM, GIN indexes, and hash indexes that could lead to data corruption, as > well as fixes for using parallel queries and logical replication. > > All users using the affected versions of PostgreSQL should update as soon as > possible. Please see the notes on "Updating" below for any post-update steps > that may be required. > > Please note that PostgreSQL changed its versioning scheme with the release of > version 10.0, so updating to version 10.2 from 10.0 or 10.1 is considered a > minor update. > > Security Issues > --------------- > > Two security vulnerabilities have been fixed by this release: > > * CVE-2018-1052: Fix the processing of partition keys containing multiple > expressions > * CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are > non-world-readable > > Bug Fixes and Improvements > -------------------------- > > This update fixes over 60 bugs reported in the last few months. Some of these > issues affect only version 10, but many affect all supported versions: > > * Fix crash and potential disclosure of backend memory when processing > partition > keys containing multiple expressions > * Fix potential disclosure of temporary files containing database passwords > created by pg_upgrade by not allowing these files to be world-accessible > * Fix cases where VACUUM would not remove dead rows if they were updated while > "key-share" locked, leading to potential data corruption > * Fix for GIN indexes to prevent bloat by ensuring the pending-insertions list > is cleaned up by VACUUM > * Fix potential index corruption with hash indexes due to failure to mark > metapages as dirty > * Fix several potential crash scenarios for parallel queries, including when a > bitmap heap scan cannot allocate memory > * Fix several potential hang-ups in parallel queries, including when a > parallel > worker fails to start > * Fix collection of EXPLAIN statistics from parallel workers > * Prevent fake deadlock failures when multiple sessions are running > CREATE INDEX CONCURRENTLY > * Fix for trigger behavior when using logical replication > * Several fixes for "walsender" functionality to improve stability as well as > visibility into the replication process > * Fix logical decoding to correctly clean up disk files for crashed > transactions > * Several fixes for identity columns, including disallowing identity columns > on > tables derived from composite types and partitions > * Fix handling of list partitioning constraints for partition keys of boolean > and array types > * Fix incorrectly generated plans for UPDATE and DELETE queries when a table > has > a mix of inherited regular and foreign child tables > * Fix incorrect query results from cases involving GROUPING SETS when used > with > flattened subqueries > * Fix UNION/INTERSECT/EXCEPT over zero columns, e.g. "SELECT UNION SELECT;" > * Several fixes for subqueries within a LATERAL subquery > * Several improvements for query planning estimation > * Allow a client that supports SCRAM channel binding, such as a future version > of PostgreSQL or libpq, to connect to a PostgreSQL 10 server > * Fix sample INSTR() functions used to help transition from Oracle(r) PL/SQL > to > PostgreSQL PL/pgSQL to correctly match Oracle functional behavior > * Fix pg_dump to make permissions (ACL), security label, and comment entries > reliably identifiable in archive outputs > * Modify behavior for contrib/cube's "cube ~> int" operator to make it > compatible with KNN search. This is a backwards incompatible change and any > expression indexes or materialized views using this operator will need to be > reindexed and refreshed, respectively. > * Several fixes in contrib/postgres_fdw to prevent query planner errors > * Added modern examples of auto-start scripts for PostgreSQL on macOS in the > contrib/start-scripts/macos directory > * Several fixes for Windows, including postmaster startup and compatibility > with > libperl > * Spinlock fixes and support for Motorola 68K and 88K architectures > > This update also contains tzdata release 2018c, with updates for DST law > changes > in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, > Japan, and South Sudan. The US/Pacific-New zone has been removed > (it was only an alias for "America/Los_Angeles" anyway). > > Updating > -------- > All PostgreSQL update releases are cumulative. As with other minor releases, > users are not required to dump and reload their database or use pg_upgrade in > order to apply this update release; you may simply shutdown PostgreSQL and > update its binaries. > > If your installation is affected by one of the following issues, you may need > to > perform additional post-update steps: > > * Users affected by the GIN and hash index issues should consider rebuilding > these indexes > * Users who copied the INSTR example from the PostgreSQL documentation should > analyze their code to determine if they need to apply the corrected INSTR > example > * Users who use the "~>" operator found in "contrib/cube" with expression > indexes or materialized views will need to reindex and refresh them, > respectively. This change is also backwards incompatible, so please test any > code using this operator before releasing to a production environment. > > Users who have skipped one or more update releases may need to run additional, > post-update steps; please see the release notes for earlier versions for > details. > > Links > ------ > * Download: https://www.postgresql.org/download > * Release Notes: https://www.postgresql.org/docs/current/static/release.html > * Security Page: https://www.postgresql.org/support/security/ > * Versioning Policy: https://www.postgresql.org/support/versioning/
