New upstream microreleases: 8.4.3, 8.3.10, 8.1.20

Bug #557408 reported by Martin Pitt
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-8.1 (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Fix Released
Medium
Martin Pitt
Hardy
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
postgresql-8.3 (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Fix Released
Medium
Martin Pitt
Jaunty
Fix Released
Medium
Martin Pitt
Karmic
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
postgresql-8.4 (Ubuntu)
Fix Released
Medium
Martin Pitt
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Medium
Martin Pitt

Bug Description

Binary package hint: postgresql-8.4

PostgreSQL did microrelease updates three weeks ago:

http://www.postgresql.org/docs/8.4/static/release-8-4-3.html
http://www.postgresql.org/docs/8.3/static/release-8-3-10.html
http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-20

They mention a CVE, but this was quite overzealous (local authenticated DOS), so this should go through the normal SRU process.

Revision history for this message
Martin Pitt (pitti) wrote :

I'll sync 8.4.3 from sid after the beta-2 freeze.

Changed in postgresql-8.4 (Ubuntu Dapper):
status: New → Invalid
Changed in postgresql-8.4 (Ubuntu Hardy):
status: New → Invalid
Changed in postgresql-8.4 (Ubuntu Jaunty):
status: New → Invalid
Changed in postgresql-8.4 (Ubuntu Karmic):
status: New → In Progress
Changed in postgresql-8.4 (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Medium
milestone: none → ubuntu-10.04
status: New → Fix Committed
Changed in postgresql-8.3 (Ubuntu Dapper):
status: New → Invalid
Martin Pitt (pitti)
Changed in postgresql-8.3 (Ubuntu Lucid):
status: New → Invalid
Martin Pitt (pitti)
Changed in postgresql-8.3 (Ubuntu Karmic):
status: New → Invalid
Changed in postgresql-8.1 (Ubuntu Lucid):
status: New → Invalid
Changed in postgresql-8.3 (Ubuntu Jaunty):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Medium
status: New → In Progress
Changed in postgresql-8.1 (Ubuntu Karmic):
status: New → Invalid
Changed in postgresql-8.3 (Ubuntu Hardy):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Medium
status: New → In Progress
Changed in postgresql-8.1 (Ubuntu Jaunty):
status: New → Invalid
Changed in postgresql-8.1 (Ubuntu Dapper):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Medium
status: New → In Progress
Changed in postgresql-8.1 (Ubuntu Hardy):
status: New → Invalid
Revision history for this message
Martin Pitt (pitti) wrote :

I didn't see any regression reports in Debian or upstream so far, so it's time to push those to stables. I'm preparing the updates now.

Revision history for this message
Martin Pitt (pitti) wrote :

I uploaded the dapper/hardy/jaunty/karmic updates to -proposed, where they await signoff/accepting from another SRU team member. I did not provide intrepid updates any more; intrepid is three weeks before EOL, of which we probably need about two to verify the new versions.

The hardy update additionally fixes bug 63141, since that is relevant for server environments.

Revision history for this message
Colin Watson (cjwatson) wrote : Please test proposed package

Accepted postgresql-8.1 into dapper-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in postgresql-8.1 (Ubuntu Dapper):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in postgresql-8.3 (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Accepted postgresql-8.3 into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in postgresql-8.3 (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Accepted postgresql-8.3 into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in postgresql-8.4 (Ubuntu Karmic):
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Accepted postgresql-8.4 into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Martin Pitt (pitti) wrote :

8.4.3 synced from Debian into lucid.

Changed in postgresql-8.4 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Leonel Nunez (leonelnunez) wrote :

Tested packages from hardy/jaunty/karmic proposed all upgraded and worked fine

Revision history for this message
Martin Pitt (pitti) wrote :

The upstream test suites all succeeded (otherwise the packages would have failed to build). I ran the postgresql-common integration test suites on the -proposed packages, and they show no regression.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

For the record, I updated the hardy and jaunty backports for 8.4 as well.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package postgresql-8.3 - 8.3.10-0ubuntu8.04

---------------
postgresql-8.3 (8.3.10-0ubuntu8.04) hardy-proposed; urgency=low

  * New upstream bug fix release: (LP: #557408)
    - Add new configuration parameter ssl_renegotiation_limit to control
      how often we do session key renegotiation for an SSL connection.
      This can be set to zero to disable renegotiation completely, which
      may be required if a broken SSL library is used. In particular,
      some vendors are shipping stopgap patches for CVE-2009-3555 that
      cause renegotiation attempts to fail.
    - Fix possible deadlock during backend startup.
    - Fix possible crashes due to not handling errors during relcache
      reload cleanly.
    - Fix possible crash due to use of dangling pointer to a cached plan.
    - Fix possible crashes when trying to recover from a failure in
      subtransaction start.
    - Fix server memory leak associated with use of savepoints and a
      client encoding different from server's encoding.
    - Fix incorrect WAL data emitted during end-of-recovery cleanup of a
      GIST index page split.
      This would result in index corruption, or even more likely an error
      during WAL replay, if we were unlucky enough to crash during
      end-of-recovery cleanup after having completed an incomplete GIST
      insertion.
    - Make substring() for bit types treat any negative length as meaning
      "all the rest of the string".
      The previous coding treated only -1 that way, and would produce an
      invalid result value for other negative values, possibly leading to
      a crash (CVE-2010-0442). (Closes: #567058)
    - Fix integer-to-bit-string conversions to handle the first
      fractional byte correctly when the output bit width is wider than
      the given integer by something other than a multiple of 8 bits.
    - Fix some cases of pathologically slow regular expression matching.
    - Fix assorted crashes in xml processing caused by sloppy memory
      management.
      This is a back-patch of changes first applied in 8.4. The 8.3 code
      was known buggy, but the new code was sufficiently different to not
      want to back-patch it until it had gotten some field testing.
    - Fix bug with trying to update a field of an element of a
      composite-type array column.
    - Fix the STOP WAL LOCATION entry in backup history files to report
      the next WAL segment's name when the end location is exactly at a
      segment boundary.
    - Fix some more cases of temporary-file leakage.
      This corrects a problem introduced in the previous minor release.
      One case that failed is when a plpgsql function returning set is
      called within another function's exception handler.
    - Improve constraint exclusion processing of boolean-variable cases,
      in particular make it possible to exclude a partition that has a
      "bool_column = false" constraint.
    - When reading "pg_hba.conf" and related files, do not treat
      @something as a file inclusion request if the @ appears inside
      quote marks; also, never treat @ by itself as a file inclusion
      request.
      This prevent...

Read more...

Changed in postgresql-8.3 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

postgresql-8.1 dapper-proposed copied to dapper-updates.

Changed in postgresql-8.1 (Ubuntu Dapper):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.2 KiB)

This bug was fixed in the package postgresql-8.3 - 8.3.10-0ubuntu9.04

---------------
postgresql-8.3 (8.3.10-0ubuntu9.04) jaunty-proposed; urgency=low

  * New upstream bug fix release: (LP: #557408)
    - Add new configuration parameter ssl_renegotiation_limit to control
      how often we do session key renegotiation for an SSL connection.
      This can be set to zero to disable renegotiation completely, which
      may be required if a broken SSL library is used. In particular,
      some vendors are shipping stopgap patches for CVE-2009-3555 that
      cause renegotiation attempts to fail.
    - Fix possible deadlock during backend startup.
    - Fix possible crashes due to not handling errors during relcache
      reload cleanly.
    - Fix possible crash due to use of dangling pointer to a cached plan.
    - Fix possible crashes when trying to recover from a failure in
      subtransaction start.
    - Fix server memory leak associated with use of savepoints and a
      client encoding different from server's encoding.
    - Fix incorrect WAL data emitted during end-of-recovery cleanup of a
      GIST index page split.
      This would result in index corruption, or even more likely an error
      during WAL replay, if we were unlucky enough to crash during
      end-of-recovery cleanup after having completed an incomplete GIST
      insertion.
    - Make substring() for bit types treat any negative length as meaning
      "all the rest of the string".
      The previous coding treated only -1 that way, and would produce an
      invalid result value for other negative values, possibly leading to
      a crash (CVE-2010-0442). (Closes: #567058)
    - Fix integer-to-bit-string conversions to handle the first
      fractional byte correctly when the output bit width is wider than
      the given integer by something other than a multiple of 8 bits.
    - Fix some cases of pathologically slow regular expression matching.
    - Fix assorted crashes in xml processing caused by sloppy memory
      management.
      This is a back-patch of changes first applied in 8.4. The 8.3 code
      was known buggy, but the new code was sufficiently different to not
      want to back-patch it until it had gotten some field testing.
    - Fix bug with trying to update a field of an element of a
      composite-type array column.
    - Fix the STOP WAL LOCATION entry in backup history files to report
      the next WAL segment's name when the end location is exactly at a
      segment boundary.
    - Fix some more cases of temporary-file leakage.
      This corrects a problem introduced in the previous minor release.
      One case that failed is when a plpgsql function returning set is
      called within another function's exception handler.
    - Improve constraint exclusion processing of boolean-variable cases,
      in particular make it possible to exclude a partition that has a
      "bool_column = false" constraint.
    - When reading "pg_hba.conf" and related files, do not treat
      @something as a file inclusion request if the @ appears inside
      quote marks; also, never treat @ by itself as a file inclusion
      request.
      This preven...

Read more...

Changed in postgresql-8.3 (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.7 KiB)

This bug was fixed in the package postgresql-8.4 - 8.4.3-0ubuntu9.10

---------------
postgresql-8.4 (8.4.3-0ubuntu9.10) karmic-proposed; urgency=low

  * New upstream bug fix release: (LP: #557408)
    - Add new configuration parameter ssl_renegotiation_limit to control
      how often we do session key renegotiation for an SSL connection.
      This can be set to zero to disable renegotiation completely, which
      may be required if a broken SSL library is used. In particular,
      some vendors are shipping stopgap patches for CVE-2009-3555 that
      cause renegotiation attempts to fail.
    - Fix possible deadlock during backend startup.
    - Fix possible crashes due to not handling errors during relcache
      reload cleanly.
    - Fix possible crash due to use of dangling pointer to a cached plan.
    - Fix possible crash due to overenthusiastic invalidation of cached
      plan for "ROLLBACK".
    - Fix possible crashes when trying to recover from a failure in
      subtransaction start.
    - Fix server memory leak associated with use of savepoints and a
      client encoding different from server's encoding.
    - Fix incorrect WAL data emitted during end-of-recovery cleanup of a
      GIST index page split.
    - Fix bug in WAL redo cleanup method for GIN indexes.
    - Fix incorrect comparison of scan key in GIN index search.
    - Make substring() for bit types treat any negative length as meaning
      "all the rest of the string". The previous coding treated only -1 that
      way, and would produce an invalid result value for other negative
      values, possibly leading to a crash (CVE-2010-0442).
    - Fix integer-to-bit-string conversions to handle the first
      fractional byte correctly when the output bit width is wider than
      the given integer by something other than a multiple of 8 bits.
    - Fix some cases of pathologically slow regular expression matching.
    - Fix bug occurring when trying to inline a SQL function that returns
      a set of a composite type that contains dropped columns.
    - Fix bug with trying to update a field of an element of a
      composite-type array column.
    - Avoid failure when "EXPLAIN" has to print a FieldStore or
      assignment ArrayRef expression.
      These cases can arise now that "EXPLAIN VERBOSE" tries to print
      plan node target lists.
    - Avoid an unnecessary coercion failure in some cases where an
      undecorated literal string appears in a subquery within
      "UNION"/"INTERSECT"/"EXCEPT".
      This fixes a regression for some cases that worked before 8.4.
    - Avoid undesirable rowtype compatibility check failures in some
      cases where a whole-row Var has a rowtype that contains dropped
      columns.
    - Fix the STOP WAL LOCATION entry in backup history files to report
      the next WAL segment's name when the end location is exactly at a
      segment boundary.
    - Always pass the catalog ID to an option validator function
      specified in "CREATE FOREIGN DATA WRAPPER".
    - Fix some more cases of temporary-file leakage.
      This corrects a problem introduced in the previous minor release.
      One case that failed is when a plpgsq...

Read more...

Changed in postgresql-8.4 (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.