PostgreSQL 發布全系重要安全補丁

PostgreSQL 是一個自由的對象-關系數據庫服務器(數據庫管理系統)，它在靈活的 BSD-風格許可證下發行。它提供了相對其他開放源代碼數據庫系統(比如 MySQL 和 Firebird)，和對專有系統比如 Oracle、Sybase、IBM 的 DB2 和 Microsoft SQL Server的一種選擇。

PostgreSQL 全球開發組今天發布了全系的安全更新版本，包括：9.1.4, 9.0.8, 8.4.12 and 8.3.19.

如果你使用了 pg_crypto 模塊中的 crypt(text,text) 函數用于 DES 加密的話，那你應該立即更新到最新版本。

其中 9.1 版本修復的 bug 包括：

• Fix citext upgrade script for collations of citext arrays and domains over citext
• Fixes for timezone handling
• Fix text or char to name casts to perform string truncation correctly in multibyte encodings
• Fix memory copying bug in to_tsquery()
• Ensure txid_current() reports the correct epoch when executed in hot standby
• Fix planner’s handling of sub-SELECTS referencing variables coming from the nullable side of an outer join of the surrounding query
• Fix planning of UNION ALL subqueries with output columns that are not simple variables
• Fix slow session startup when pg_attribute is very large
• Ensure sequential scans check for query cancel reasonably often
• Show whole-row variables safely when printing views or rules
• Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding
• Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses
• Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks
• Fix bugs with temporary or transient tables used in extension scripts
• Ensure autovacuum worker processes perform stack depth checking properly
• Fix logging collector to not lose log coherency under high load
• Fix logging collector to ensure it will restart file rotation after receiving SIGHUP
• Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped
• Avoid synchronous replication delay when committing a transaction that only modified temporary tables

包含兩個安全補丁：

• CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function
• CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler

這個漏洞會直接導致服務器掛機，而且影響到所有的 PostgreSQL 版本。

關于此漏洞的更詳細描述請看發行說明。

下載地址：download page.