PostgreSQL发布全系重要安全补丁

2012-06-05 72694人围观 资讯

PostgreSQL 是一个自由的对象-关系数据库服务器(数据库管理系统),它在灵活的 BSD-风格许可证下发行。它提供了相对其他开放源代码数据库系统(比如 MySQL 和 Firebird),和对专有系统比如 Oracle、Sybase、IBM 的 DB2 和 Microsoft SQL Server的一种选择。

PostgreSQL 全球开发组今天发布了全系的安全更新版本,包括:9.1.4, 9.0.8, 8.4.12 and 8.3.19.

如果你使用了 pg_crypto 模块中的 crypt(text,text) 函数用于 DES 加密的话,那你应该立即更新到最新版本。

其中 9.1 版本修复的 bug 包括:

  • Fix citext upgrade script for collations of citext arrays and domains over citext
  • Fixes for timezone handling
  • Fix text or char to name casts to perform string truncation correctly in multibyte encodings
  • Fix memory copying bug in to_tsquery()
  • Ensure txid_current() reports the correct epoch when executed in hot standby
  • Fix planner’s handling of sub-SELECTS referencing variables coming from the nullable side of an outer join of the surrounding query
  • Fix planning of UNION ALL subqueries with output columns that are not simple variables
  • Fix slow session startup when pg_attribute is very large
  • Ensure sequential scans check for query cancel reasonably often
  • Show whole-row variables safely when printing views or rules
  • Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding
  • Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses
  • Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks
  • Fix bugs with temporary or transient tables used in extension scripts
  • Ensure autovacuum worker processes perform stack depth checking properly
  • Fix logging collector to not lose log coherency under high load
  • Fix logging collector to ensure it will restart file rotation after receiving SIGHUP
  • Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped
  • Avoid synchronous replication delay when committing a transaction that only modified temporary tables

包含两个安全补丁:

  • CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function
  • CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler

这个漏洞会直接导致服务器挂机,而且影响到所有的 PostgreSQL 版本。

关于此漏洞的更详细描述请看发行说明

下载地址:download page.

取消
Loading...
css.php