[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
This bug was fixed in the package postgresql-8.3 - 8.3.8-0ubuntu8.04 --- postgresql-8.3 (8.3.8-0ubuntu8.04) hardy-security; urgency=low * New upstream security/bug fix release: (LP: #430544) - Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions. This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. [CVE-2007-6600] - Force WAL segment switch during pg_start_backup(). This avoids corner cases that could render a base backup unusable. - Make LOAD of an already-loaded loadable module into a no-op. Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. - Disallow empty passwords during LDAP authentication. - Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function. - Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node. - Prevent synchronize_seqscans from changing the results of scrollable and WITH HOLD cursors. - Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list. - Fix hash calculation for data type interval. This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating. - Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12'. It was previously handled as 'th' (lowercase). - Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use. - Fix calculation of distance between a point and a line segment. This led to incorrect results from a number of geometric operators. - Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan. - Fix LIKE for case where pattern contains %_. - Properly round datetime input like 00:12:57.. - Fix memory leaks in XML operations. - Fix poor choice of page split point in GiST R-tree operator classes. - Ensure that a fast shutdown request will forcibly terminate open sessions, even if a smart shutdown was already in progress. - Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order. - Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL. - Fix portability issues in plperl initialization. - Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty. - Improve pg_dump's efficiency when there are many large objects. - Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby. - Make pg_standby's maxretries option behave as documented. - Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it. - Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty). - Improve robustness of libpq's code to recover from errors during COPY FROM STDIN. -- Martin Pitt martin.p...@ubuntu.com Wed, 16 Sep 2009 10:36:16 +0200 ** Changed in: postgresql-8.3 (Ubuntu Hardy) Status: Fix Committed = Fix Released ** Changed in: postgresql-8.3 (Ubuntu Intrepid) Status: Fix Committed = Fix Released -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
This bug was fixed in the package postgresql-8.3 - 8.3.8-0ubuntu8.10 --- postgresql-8.3 (8.3.8-0ubuntu8.10) intrepid-security; urgency=low * New upstream security/bug fix release: (LP: #430544) - Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions. This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. [CVE-2007-6600] - Force WAL segment switch during pg_start_backup(). This avoids corner cases that could render a base backup unusable. - Make LOAD of an already-loaded loadable module into a no-op. Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. - Disallow empty passwords during LDAP authentication. - Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function. - Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node. - Prevent synchronize_seqscans from changing the results of scrollable and WITH HOLD cursors. - Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list. - Fix hash calculation for data type interval. This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating. - Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12'. It was previously handled as 'th' (lowercase). - Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use. - Fix calculation of distance between a point and a line segment. This led to incorrect results from a number of geometric operators. - Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan. - Fix LIKE for case where pattern contains %_. - Properly round datetime input like 00:12:57.. - Fix memory leaks in XML operations. - Fix poor choice of page split point in GiST R-tree operator classes. - Ensure that a fast shutdown request will forcibly terminate open sessions, even if a smart shutdown was already in progress. - Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order. - Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL. - Fix portability issues in plperl initialization. - Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty. - Improve pg_dump's efficiency when there are many large objects. - Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby. - Make pg_standby's maxretries option behave as documented. - Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it. - Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty). - Improve robustness of libpq's code to recover from errors during COPY FROM STDIN. -- Martin Pitt martin.p...@ubuntu.com Wed, 16 Sep 2009 10:45:23 +0200 ** Changed in: postgresql-8.3 (Ubuntu Jaunty) Status: Fix Committed = Fix Released -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
This bug was fixed in the package postgresql-8.3 - 8.3.8-0ubuntu9.04 --- postgresql-8.3 (8.3.8-0ubuntu9.04) jaunty-security; urgency=low * New upstream security/bug fix release: (LP: #430544) - Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions. This covers a case that was missed in the previous patch that disallowed SET ROLE and SET SESSION AUTHORIZATION inside security-definer functions. [CVE-2007-6600] - Force WAL segment switch during pg_start_backup(). This avoids corner cases that could render a base backup unusable. - Make LOAD of an already-loaded loadable module into a no-op. Formerly, LOAD would attempt to unload and re-load the module, but this is unsafe and not all that useful. - Disallow empty passwords during LDAP authentication. - Fix handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function. - Fix bugs associated with fetching a whole-row value from the output of a Sort or Materialize plan node. - Prevent synchronize_seqscans from changing the results of scrollable and WITH HOLD cursors. - Revert planner change that disabled partial-index and constraint exclusion optimizations when there were more than 100 clauses in an AND or OR list. - Fix hash calculation for data type interval. This corrects wrong results for hash joins on interval values. It also changes the contents of hash indexes on interval columns. If you have any such indexes, you must REINDEX them after updating. - Treat to_char(..., 'TH') as an uppercase ordinal suffix with 'HH'/'HH12'. It was previously handled as 'th' (lowercase). - Fix overflow for INTERVAL 'x ms' when x is more than 2 million and integer datetimes are in use. - Fix calculation of distance between a point and a line segment. This led to incorrect results from a number of geometric operators. - Fix money data type to work in locales where currency amounts have no fractional digits, e.g. Japan. - Fix LIKE for case where pattern contains %_. - Properly round datetime input like 00:12:57.. - Fix memory leaks in XML operations. - Fix poor choice of page split point in GiST R-tree operator classes. - Ensure that a fast shutdown request will forcibly terminate open sessions, even if a smart shutdown was already in progress. - Avoid performance degradation in bulk inserts into GIN indexes when the input values are (nearly) in sorted order. - Correctly enforce NOT NULL domain constraints in some contexts in PL/pgSQL. - Fix portability issues in plperl initialization. - Fix pg_ctl to not go into an infinite loop if postgresql.conf is empty. - Improve pg_dump's efficiency when there are many large objects. - Use SIGUSR1, not SIGQUIT, as the failover signal for pg_standby. - Make pg_standby's maxretries option behave as documented. - Make contrib/hstore throw an error when a key or value is too long to fit in its data structure, rather than silently truncating it. - Fix contrib/xml2's xslt_process() to properly handle the maximum number of parameters (twenty). - Improve robustness of libpq's code to recover from errors during COPY FROM STDIN. -- Martin Pitt martin.p...@ubuntu.com Wed, 16 Sep 2009 11:15:21 +0200 -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
** Changed in: postgresql-8.1 (Ubuntu Dapper) Status: Fix Committed = Fix Released -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
http://www.ubuntu.com/usn/usn-834-1 -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
I re-ran the postgresql-common integration test suite against the actual .debs from -proposed on all releases, all pass. Since they all built, they also passed the upstream regression tests on all architectures. I consider this good to go. ** Tags added: verification-done ** Tags removed: verification-needed -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
Tested on Dapper, Upgrade went fine, no errors basic tests no problems found -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
Leonel Nunez [2009-09-18 15:17 -]: Tested on Dapper, Upgrade went fine, no errors basic tests no problems found Thanks, Leonel, for your testing feedback! Much appreciated. -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
These have all been copied to proposed. -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
Accepted postgresql-8.1 into dapper-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
Just Upgraded on Jaunty,Intrepid, Hardy All upgrades went fine no errors I'll setup a Dapper VM to test there too I'll do more testing -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
Karmic is already fixed, I uploaded the new version to sid and synced: postgresql-8.3 |8.3.8-1 | karmic/universe | source, amd64, i386 No regression reports until now, for about a week. ** Changed in: postgresql-8.3 (Ubuntu Karmic) Status: New = Fix Released ** Changed in: postgresql-8.3 (Ubuntu Hardy) Status: New = In Progress ** Changed in: postgresql-8.3 (Ubuntu Intrepid) Status: New = In Progress ** Changed in: postgresql-8.3 (Ubuntu Jaunty) Status: New = In Progress ** Changed in: postgresql-8.3 (Ubuntu Hardy) Assignee: (unassigned) = Martin Pitt (pitti) ** Changed in: postgresql-8.3 (Ubuntu Intrepid) Assignee: (unassigned) = Martin Pitt (pitti) ** Changed in: postgresql-8.3 (Ubuntu Jaunty) Assignee: (unassigned) = Martin Pitt (pitti) -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6600 -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
** Changed in: postgresql-8.1 (Ubuntu Dapper) Status: Triaged = In Progress -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
I prepared all updates and put them to: http://people.canonical.com/~pitti/tmp/postgresql-430544/ They pass the upstream regression tests (run during package build) and the integration tests (from postgresql-common) in all releases. I will re-run the integration tests with the actual .debs which will be published once they hit -proposed. Now I assume that they need to be uploaded to https://launchpad.net /~ubuntu-security-proposed/+archive/ppa and then copied to -proposed. For that I assume the security team has to re-sign the .changes with their key and upload? Please advise how to continue. Thanks! -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
I'll sign and upload. Thanks Martin! -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 430544] Re: New security/bug fix microreleases: 8.1.18, 8.3.8
Martin, These have now been uploaded to https://launchpad.net/~ubuntu-security- proposed/+archive/ppa. Feel free to pocket copy them to -proposed when they finish building. If you need me to do it, let me know. ** Changed in: postgresql-8.1 (Ubuntu Dapper) Status: In Progress = Fix Committed ** Changed in: postgresql-8.3 (Ubuntu Hardy) Status: In Progress = Fix Committed ** Changed in: postgresql-8.3 (Ubuntu Intrepid) Status: In Progress = Fix Committed ** Changed in: postgresql-8.3 (Ubuntu Jaunty) Status: In Progress = Fix Committed ** Changed in: postgresql-8.3 (Ubuntu Hardy) Importance: Undecided = High ** Changed in: postgresql-8.3 (Ubuntu Intrepid) Importance: Undecided = High ** Changed in: postgresql-8.3 (Ubuntu Jaunty) Importance: Undecided = High -- New security/bug fix microreleases: 8.1.18, 8.3.8 https://bugs.launchpad.net/bugs/430544 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs