[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

New PostgreSQL bug fix release 8.3.10 for Lenny

Hello release team,

It's that time of the year again, PostgreSQL released a new
bug fix release three weeks ago:


One of the changes overzealously got a CVE assigned, but the security
team agrees that this is not worth a DSA (it's a local authenticated
crash only).

I haven't seen any regression reports for the new 8.4.3 release, or
in upstream bug reports, so it's time to push this update to Lenny

I also applied a backport from 8.4 to fix an old SSL related crash:

The package passes the upstream test suite as well as my
postgresql-common integration test suite.

Source/binary packages and debdiff (filtered out documentation and
autoconf changes):


OK to upload?



postgresql-8.3 (8.3.10-0lenny1) stable; urgency=low

  * New upstream bug fix release:
    - Add new configuration parameter ssl_renegotiation_limit to control
      how often we do session key renegotiation for an SSL connection.
      This can be set to zero to disable renegotiation completely, which
      may be required if a broken SSL library is used. In particular,
      some vendors are shipping stopgap patches for CVE-2009-3555 that
      cause renegotiation attempts to fail.
    - Fix possible deadlock during backend startup.
    - Fix possible crashes due to not handling errors during relcache
      reload cleanly.
    - Fix possible crash due to use of dangling pointer to a cached plan.
    - Fix possible crashes when trying to recover from a failure in
      subtransaction start.
    - Fix server memory leak associated with use of savepoints and a
      client encoding different from server's encoding.
    - Fix incorrect WAL data emitted during end-of-recovery cleanup of a
      GIST index page split.
      This would result in index corruption, or even more likely an error
      during WAL replay, if we were unlucky enough to crash during
      end-of-recovery cleanup after having completed an incomplete GIST
    - Make substring() for bit types treat any negative length as meaning
      "all the rest of the string".
      The previous coding treated only -1 that way, and would produce an
      invalid result value for other negative values, possibly leading to
      a crash (CVE-2010-0442). (Closes: #567058)
    - Fix integer-to-bit-string conversions to handle the first
      fractional byte correctly when the output bit width is wider than
      the given integer by something other than a multiple of 8 bits.
    - Fix some cases of pathologically slow regular expression matching.
    - Fix assorted crashes in xml processing caused by sloppy memory
      This is a back-patch of changes first applied in 8.4. The 8.3 code
      was known buggy, but the new code was sufficiently different to not
      want to back-patch it until it had gotten some field testing.
    - Fix bug with trying to update a field of an element of a
      composite-type array column.
    - Fix the STOP WAL LOCATION entry in backup history files to report
      the next WAL segment's name when the end location is exactly at a
      segment boundary.
    - Fix some more cases of temporary-file leakage.
      This corrects a problem introduced in the previous minor release.
      One case that failed is when a plpgsql function returning set is
      called within another function's exception handler.
    - Improve constraint exclusion processing of boolean-variable cases,
      in particular make it possible to exclude a partition that has a
      "bool_column = false" constraint.
    - When reading "pg_hba.conf" and related files, do not treat
      @something as a file inclusion request if the @ appears inside
      quote marks; also, never treat @ by itself as a file inclusion
      This prevents erratic behavior if a role or database name starts
      with @. If you need to include a file whose path name contains
      spaces, you can still do so, but you must write @"/path to/file"
      rather than putting the quotes around the whole construct.
    - Prevent infinite loop on some platforms if a directory is named as
      an inclusion target in "pg_hba.conf" and related files.
    - Fix possible infinite loop if SSL_read or SSL_write fails without
      setting errno.
      This is reportedly possible with some Windows versions of openssl.
    - Disallow GSSAPI authentication on local connections, since it
      requires a hostname to function correctly.
    - Make ecpg report the proper SQLSTATE if the connection disappears.
    - Fix psql's numericlocale option to not format strings it shouldn't
      in latex and troff output formats.
    - Make psql return the correct exit status (3) when ON_ERROR_STOP and
      --single-transaction are both specified and an error occurs during
      the implied "COMMIT".
    - Fix plpgsql failure in one case where a composite column is set to
    - Fix possible failure when calling PL/Perl functions from PL/PerlU
      or vice versa.
    - Add volatile markings in PL/Python to avoid possible
      compiler-specific misbehavior.
    - Ensure PL/Tcl initializes the Tcl interpreter fully.
      The only known symptom of this oversight is that the Tcl clock
      command misbehaves if using Tcl 8.5 or later.
    - Prevent crash in "contrib/dblink" when too many key columns are
      specified to a dblink_build_sql_- function.
    - Allow zero-dimensional arrays in "contrib/ltree" operations.
      This case was formerly rejected as an error, but it's more
      convenient to treat it the same as a zero-element array. In
      particular this avoids unnecessary failures when an ltree operation
      is applied to the result of ARRAY(SELECT ...) and the sub-select
      returns no rows.
    - Fix assorted crashes in "contrib/xml2" caused by sloppy memory
  * Add 00cvs-unregister-ssl-callbacks.patch: Properly unregister OpenSSL
    callbacks when libpq is done with it's connection. Thanks Ondřej Surý for
    the backport! (Closes: #411982, LP: #63141)

 -- Martin Pitt <mpitt@debian.org>  Sat, 13 Mar 2010 16:33:15 +0100

Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Attachment: signature.asc
Description: Digital signature

Reply to: