Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
P
postgres-lambda-diff
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Jakob Huber
postgres-lambda-diff
Commits
e9cc5302
Commit
e9cc5302
authored
19 years ago
by
Tom Lane
Browse files
Options
Downloads
Patches
Plain Diff
Update release notes for upcoming releases.
parent
c6aa53e8
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/src/sgml/release.sgml
+430
-14
430 additions, 14 deletions
doc/src/sgml/release.sgml
with
430 additions
and
14 deletions
doc/src/sgml/release.sgml
+
430
−
14
View file @
e9cc5302
<!-- $PostgreSQL: pgsql/doc/src/sgml/release.sgml,v 1.42
7
2006/05/
19 03:55:40 momjian
Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/release.sgml,v 1.42
8
2006/05/
21 21:49:22 tgl
Exp $ -->
<!--
<!--
Typical markup:
Typical markup:
...
@@ -24,11 +24,12 @@ For new features, add links to the documentation sections.
...
@@ -24,11 +24,12 @@ For new features, add links to the documentation sections.
<note>
<note>
<title>Release date</title>
<title>Release date</title>
<simpara>2006-05-2
2
</simpara>
<simpara>2006-05-2
3
</simpara>
</note>
</note>
<para>
<para>
This release contains a variety of fixes from 8.1.3,
This release contains a variety of fixes from 8.1.3,
including patches for extremely serious security issues.
</para>
</para>
<sect2>
<sect2>
...
@@ -39,26 +40,132 @@ For new features, add links to the documentation sections.
...
@@ -39,26 +40,132 @@ For new features, add links to the documentation sections.
However, if you are upgrading from a version earlier than 8.1.2,
However, if you are upgrading from a version earlier than 8.1.2,
see the release notes for 8.1.2.
see the release notes for 8.1.2.
</para>
</para>
<para>
Full security against the SQL-injection attacks described in
CVE-2006-2313 and CVE-2006-2314 may require changes in application
code. If you have applications that embed untrustworthy strings
into SQL commands, you should examine them as soon as possible to
ensure that they are using recommended escaping techniques. In
most cases, applications should be using subroutines provided by
libraries or drivers (such as <application>libpq</>'s
<function>PQescapeStringConn()</>) to perform string escaping,
rather than relying on <foreignphrase>ad hoc</> code to do it.
</para>
</sect2>
</sect2>
<sect2>
<sect2>
<title>Changes</title>
<title>Changes</title>
<itemizedlist>
<itemizedlist>
<listitem><para>Improve sort performance (Tom, Dann Corbit)</para></listitem>
<listitem><para>Change the server to reject invalidly-encoded multibyte
<listitem><para>Disable <literal>full_page_writes</> because of reliability bug (Tom)</para>
characters in all cases (Tatsuo, Tom)</para>
<para>In certain cases, <literal>full_page_writes</> would cause crash recovery to fail.
<para>While <productname>PostgreSQL</> has been moving in this direction for
some time, the checks are now applied uniformly to all encodings and all
textual input, and are now always errors not merely warnings. This change
defends against SQL-injection attacks of the type described in CVE-2006-2313.
</para></listitem>
<listitem><para>Reject unsafe uses of <literal>\'</> in string literals</para>
<para>As a server-side defense against SQL-injection attacks of the type
described in CVE-2006-2314, the server now only accepts <literal>''</> and not
<literal>\'</> as a representation of ASCII single quote in SQL string
literals. By default, <literal>\'</> is rejected only when
<varname>client_encoding</> is set to a client-only encoding (SJIS, BIG5, GBK,
GB18030, or UHC), which is the scenario in which SQL injection is possible.
A new configuration parameter <varname>backslash_quote</> is available to
adjust this behavior when needed. Note that full security against
CVE-2006-2314 may require client-side changes; the purpose of
<varname>backslash_quote</> is in part to make it obvious that insecure
clients are insecure.
</para></listitem>
<listitem><para>Modify <application>libpq</>'s string-escaping routines to be
aware of encoding considerations and
<varname>standard_conforming_strings</></para>
<para>This fixes <application>libpq</>-using applications for the security
issues described in CVE-2006-2313 and CVE-2006-2314, and also future-proofs
them against the planned changeover to SQL-standard string literal syntax.
Applications that use multiple <productname>PostgreSQL</> connections
concurrently should migrate to <function>PQescapeStringConn()</> and
<function>PQescapeByteaConn()</> to ensure that escaping is done correctly
for the settings in use in each database connection. Applications that
do string escaping <quote>by hand</> should be modified to rely on library
routines instead.
</para></listitem>
<listitem><para>Fix weak key selection in pgcrypto (Marko Kreen)</para>
<para>Errors in fortuna PRNG reseeding logic could cause a predictable
session key to be selected by <function>pgp_sym_encrypt()</> in some cases.
This only affects non-OpenSSL-using builds.
</para></listitem>
<listitem><para>Fix some incorrect encoding conversion functions</para>
<para><function>win1251_to_iso</>, <function>win866_to_iso</>,
<function>euc_tw_to_big5</>, <function>euc_tw_to_mic</>,
<function>mic_to_euc_tw</> were all broken to varying
extents.
</para></listitem>
</para></listitem>
<listitem><para>Various bitmap scan improvements (Tom)</para></listitem>
<listitem><para>Have <application>pg_dumpall</> dumping pre-8.1 databases with identical user
<listitem><para>Clean up stray remaining uses of <literal>\'</> in strings
and group names create a single role with <literal>LOGIN</> permission (Tom)</para></listitem>
(Bruce, Jan)</para></listitem>
<listitem><para>Fix <application>pg_restore</> <literal>-n</> (Tom)</para></listitem>
<listitem><para>Fix <literal>SIMILAR TO</> for alternative values (Tom)</para></listitem>
<listitem><para>Make autovacuum visible in <structname>pg_stat_activity</>
<listitem><para>Fix <command>SELECT INTO</> and <command>CREATE TABLE AS</> to create tables in the default
(Alvaro)</para></listitem>
tablespace, not the base directory (Kris Jurka)</para></listitem>
<listitem><para>Fix problem with password prompting on some Win32 systems (Robert
<listitem><para>Disable <literal>full_page_writes</> (Tom)</para>
Kinberg)</para></listitem>
<para>In certain cases, having <literal>full_page_writes</> off would cause
crash recovery to fail. A proper fix will appear in 8.2; for now it's just
disabled.
</para></listitem>
<listitem><para>Various planner fixes, particularly for bitmap index scans and
MIN/MAX optimization (Tom)</para></listitem>
<listitem><para>Fix incorrect optimization in merge join (Tom)</para>
<para>Outer joins could sometimes emit multiple copies of unmatched rows.
</para></listitem>
<listitem><para>Fix crash from using and modifying a plpgsql function in the
same transaction</para></listitem>
<listitem><para>Fix WAL replay for case where a btree index has been
truncated</para></listitem>
<listitem><para>Fix <literal>SIMILAR TO</> for patterns involving
<literal>|</> (Tom)</para></listitem>
<listitem><para>Fix <command>SELECT INTO</> and <command>CREATE TABLE AS</> to
create tables in the default tablespace, not the base directory (Kris
Jurka)</para></listitem>
<listitem><para>Fix server to use custom DH SSL parameters correctly (Michael
Fuhr)</para></listitem>
<listitem><para>Improve qsort performance (Dann Corbit)</para>
<para>Currently this code is only used on Solaris.
</para></listitem>
<listitem><para>Fix for Bonjour on Intel Macs (Ashley Clark)</para></listitem>
<listitem><para>Fix for Bonjour on Intel Macs (Ashley Clark)</para></listitem>
<listitem><para>Fix various minor memory leaks</para></listitem>
<listitem><para>Fix problem with password prompting on some Win32 systems
(Robert Kinberg)</para></listitem>
<listitem><para>Improve <application>pg_dump</>'s handling of default values
for domains</para></listitem>
<listitem><para>Fix <application>pg_dumpall</> to handle identically-named
users and groups reasonably (only possible when dumping from a pre-8.1 server)
(Tom)</para>
<para>The user and group will be merged into a single role with
<literal>LOGIN</> permission. Formerly the merged role wouldn't have
<literal>LOGIN</> permission, making it unusable as a user.
</para></listitem>
<listitem><para>Fix <application>pg_restore</> <literal>-n</> to work as
documented (Tom)</para></listitem>
</itemizedlist>
</itemizedlist>
</sect2>
</sect2>
...
@@ -2497,6 +2604,118 @@ psql -t -f fixseq.sql db1 | psql -e db1
...
@@ -2497,6 +2604,118 @@ psql -t -f fixseq.sql db1 | psql -e db1
</sect2>
</sect2>
</sect1>
</sect1>
<sect1 id="release-8-0-8">
<title>Release 8.0.8</title>
<note>
<title>Release date</title>
<simpara>2006-05-23</simpara>
</note>
<para>
This release contains a variety of fixes from 8.0.7,
including patches for extremely serious security issues.
</para>
<sect2>
<title>Migration to version 8.0.8</title>
<para>
A dump/restore is not required for those running 8.0.X. However,
if you are upgrading from a version earlier than 8.0.6, see the release
notes for 8.0.6.
</para>
<para>
Full security against the SQL-injection attacks described in
CVE-2006-2313 and CVE-2006-2314 may require changes in application
code. If you have applications that embed untrustworthy strings
into SQL commands, you should examine them as soon as possible to
ensure that they are using recommended escaping techniques. In
most cases, applications should be using subroutines provided by
libraries or drivers (such as <application>libpq</>'s
<function>PQescapeStringConn()</>) to perform string escaping,
rather than relying on <foreignphrase>ad hoc</> code to do it.
</para>
</sect2>
<sect2>
<title>Changes</title>
<itemizedlist>
<listitem><para>Change the server to reject invalidly-encoded multibyte
characters in all cases (Tatsuo, Tom)</para>
<para>While <productname>PostgreSQL</> has been moving in this direction for
some time, the checks are now applied uniformly to all encodings and all
textual input, and are now always errors not merely warnings. This change
defends against SQL-injection attacks of the type described in CVE-2006-2313.
</para></listitem>
<listitem><para>Reject unsafe uses of <literal>\'</> in string literals</para>
<para>As a server-side defense against SQL-injection attacks of the type
described in CVE-2006-2314, the server now only accepts <literal>''</> and not
<literal>\'</> as a representation of ASCII single quote in SQL string
literals. By default, <literal>\'</> is rejected only when
<varname>client_encoding</> is set to a client-only encoding (SJIS, BIG5, GBK,
GB18030, or UHC), which is the scenario in which SQL injection is possible.
A new configuration parameter <varname>backslash_quote</> is available to
adjust this behavior when needed. Note that full security against
CVE-2006-2314 may require client-side changes; the purpose of
<varname>backslash_quote</> is in part to make it obvious that insecure
clients are insecure.
</para></listitem>
<listitem><para>Modify <application>libpq</>'s string-escaping routines to be
aware of encoding considerations and
<varname>standard_conforming_strings</></para>
<para>This fixes <application>libpq</>-using applications for the security
issues described in CVE-2006-2313 and CVE-2006-2314, and also future-proofs
them against the planned changeover to SQL-standard string literal syntax.
Applications that use multiple <productname>PostgreSQL</> connections
concurrently should migrate to <function>PQescapeStringConn()</> and
<function>PQescapeByteaConn()</> to ensure that escaping is done correctly
for the settings in use in each database connection. Applications that
do string escaping <quote>by hand</> should be modified to rely on library
routines instead.
</para></listitem>
<listitem><para>Fix some incorrect encoding conversion functions</para>
<para><function>win1251_to_iso</>, <function>alt_to_iso</>,
<function>euc_tw_to_big5</>, <function>euc_tw_to_mic</>,
<function>mic_to_euc_tw</> were all broken to varying
extents.
</para></listitem>
<listitem><para>Clean up stray remaining uses of <literal>\'</> in strings
(Bruce, Jan)</para></listitem>
<listitem><para>Fix bug that sometimes caused OR'd index scans to
miss rows they should have returned</para></listitem>
<listitem><para>Fix WAL replay for case where a btree index has been
truncated</para></listitem>
<listitem><para>Fix <literal>SIMILAR TO</> for patterns involving
<literal>|</> (Tom)</para></listitem>
<listitem><para>Fix <command>SELECT INTO</> and <command>CREATE TABLE AS</> to
create tables in the default tablespace, not the base directory (Kris
Jurka)</para></listitem>
<listitem><para>Fix server to use custom DH SSL parameters correctly (Michael
Fuhr)</para></listitem>
<listitem><para>Fix for Bonjour on Intel Macs (Ashley Clark)</para></listitem>
<listitem><para>Fix various minor memory leaks</para></listitem>
<listitem><para>Fix problem with password prompting on some Win32 systems
(Robert Kinberg)</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1 id="release-8-0-7">
<sect1 id="release-8-0-7">
<title>Release 8.0.7</title>
<title>Release 8.0.7</title>
...
@@ -5538,6 +5757,111 @@ typedefs (Michael)</para></listitem>
...
@@ -5538,6 +5757,111 @@ typedefs (Michael)</para></listitem>
</sect2>
</sect2>
</sect1>
</sect1>
<sect1 id="release-7-4-13">
<title>Release 7.4.13</title>
<note>
<title>Release date</title>
<simpara>2006-05-23</simpara>
</note>
<para>
This release contains a variety of fixes from 7.4.12,
including patches for extremely serious security issues.
</para>
<sect2>
<title>Migration to version 7.4.13</title>
<para>
A dump/restore is not required for those running 7.4.X. However,
if you are upgrading from a version earlier than 7.4.11, see the release
notes for 7.4.11.
</para>
<para>
Full security against the SQL-injection attacks described in
CVE-2006-2313 and CVE-2006-2314 may require changes in application
code. If you have applications that embed untrustworthy strings
into SQL commands, you should examine them as soon as possible to
ensure that they are using recommended escaping techniques. In
most cases, applications should be using subroutines provided by
libraries or drivers (such as <application>libpq</>'s
<function>PQescapeStringConn()</>) to perform string escaping,
rather than relying on <foreignphrase>ad hoc</> code to do it.
</para>
</sect2>
<sect2>
<title>Changes</title>
<itemizedlist>
<listitem><para>Change the server to reject invalidly-encoded multibyte
characters in all cases (Tatsuo, Tom)</para>
<para>While <productname>PostgreSQL</> has been moving in this direction for
some time, the checks are now applied uniformly to all encodings and all
textual input, and are now always errors not merely warnings. This change
defends against SQL-injection attacks of the type described in CVE-2006-2313.
</para></listitem>
<listitem><para>Reject unsafe uses of <literal>\'</> in string literals</para>
<para>As a server-side defense against SQL-injection attacks of the type
described in CVE-2006-2314, the server now only accepts <literal>''</> and not
<literal>\'</> as a representation of ASCII single quote in SQL string
literals. By default, <literal>\'</> is rejected only when
<varname>client_encoding</> is set to a client-only encoding (SJIS, BIG5, GBK,
GB18030, or UHC), which is the scenario in which SQL injection is possible.
A new configuration parameter <varname>backslash_quote</> is available to
adjust this behavior when needed. Note that full security against
CVE-2006-2314 may require client-side changes; the purpose of
<varname>backslash_quote</> is in part to make it obvious that insecure
clients are insecure.
</para></listitem>
<listitem><para>Modify <application>libpq</>'s string-escaping routines to be
aware of encoding considerations and
<varname>standard_conforming_strings</></para>
<para>This fixes <application>libpq</>-using applications for the security
issues described in CVE-2006-2313 and CVE-2006-2314, and also future-proofs
them against the planned changeover to SQL-standard string literal syntax.
Applications that use multiple <productname>PostgreSQL</> connections
concurrently should migrate to <function>PQescapeStringConn()</> and
<function>PQescapeByteaConn()</> to ensure that escaping is done correctly
for the settings in use in each database connection. Applications that
do string escaping <quote>by hand</> should be modified to rely on library
routines instead.
</para></listitem>
<listitem><para>Fix some incorrect encoding conversion functions</para>
<para><function>win1251_to_iso</>, <function>alt_to_iso</>,
<function>euc_tw_to_big5</>, <function>euc_tw_to_mic</>,
<function>mic_to_euc_tw</> were all broken to varying
extents.
</para></listitem>
<listitem><para>Clean up stray remaining uses of <literal>\'</> in strings
(Bruce, Jan)</para></listitem>
<listitem><para>Fix bug that sometimes caused OR'd index scans to
miss rows they should have returned</para></listitem>
<listitem><para>Fix WAL replay for case where a btree index has been
truncated</para></listitem>
<listitem><para>Fix <literal>SIMILAR TO</> for patterns involving
<literal>|</> (Tom)</para></listitem>
<listitem><para>Fix server to use custom DH SSL parameters correctly (Michael
Fuhr)</para></listitem>
<listitem><para>Fix for Bonjour on Intel Macs (Ashley Clark)</para></listitem>
<listitem><para>Fix various minor memory leaks</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1 id="release-7-4-12">
<sect1 id="release-7-4-12">
<title>Release 7.4.12</title>
<title>Release 7.4.12</title>
...
@@ -8347,6 +8671,98 @@ DROP SCHEMA information_schema CASCADE;
...
@@ -8347,6 +8671,98 @@ DROP SCHEMA information_schema CASCADE;
</sect2>
</sect2>
</sect1>
</sect1>
<sect1 id="release-7-3-15">
<title>Release 7.3.15</title>
<note>
<title>Release date</title>
<simpara>2006-05-23</simpara>
</note>
<para>
This release contains a variety of fixes from 7.3.14,
including patches for extremely serious security issues.
</para>
<sect2>
<title>Migration to version 7.3.15</title>
<para>
A dump/restore is not required for those running 7.3.X. However,
if you are upgrading from a version earlier than 7.3.13, see the release
notes for 7.3.13.
</para>
<para>
Full security against the SQL-injection attacks described in
CVE-2006-2313 and CVE-2006-2314 may require changes in application
code. If you have applications that embed untrustworthy strings
into SQL commands, you should examine them as soon as possible to
ensure that they are using recommended escaping techniques. In
most cases, applications should be using subroutines provided by
libraries or drivers (such as <application>libpq</>'s
<function>PQescapeStringConn()</>) to perform string escaping,
rather than relying on <foreignphrase>ad hoc</> code to do it.
</para>
</sect2>
<sect2>
<title>Changes</title>
<itemizedlist>
<listitem><para>Change the server to reject invalidly-encoded multibyte
characters in all cases (Tatsuo, Tom)</para>
<para>While <productname>PostgreSQL</> has been moving in this direction for
some time, the checks are now applied uniformly to all encodings and all
textual input, and are now always errors not merely warnings. This change
defends against SQL-injection attacks of the type described in CVE-2006-2313.
</para></listitem>
<listitem><para>Reject unsafe uses of <literal>\'</> in string literals</para>
<para>As a server-side defense against SQL-injection attacks of the type
described in CVE-2006-2314, the server now only accepts <literal>''</> and not
<literal>\'</> as a representation of ASCII single quote in SQL string
literals. By default, <literal>\'</> is rejected only when
<varname>client_encoding</> is set to a client-only encoding (SJIS, BIG5, GBK,
GB18030, or UHC), which is the scenario in which SQL injection is possible.
A new configuration parameter <varname>backslash_quote</> is available to
adjust this behavior when needed. Note that full security against
CVE-2006-2314 may require client-side changes; the purpose of
<varname>backslash_quote</> is in part to make it obvious that insecure
clients are insecure.
</para></listitem>
<listitem><para>Modify <application>libpq</>'s string-escaping routines to be
aware of encoding considerations</para>
<para>This fixes <application>libpq</>-using applications for the security
issues described in CVE-2006-2313 and CVE-2006-2314.
Applications that use multiple <productname>PostgreSQL</> connections
concurrently should migrate to <function>PQescapeStringConn()</> and
<function>PQescapeByteaConn()</> to ensure that escaping is done correctly
for the settings in use in each database connection. Applications that
do string escaping <quote>by hand</> should be modified to rely on library
routines instead.
</para></listitem>
<listitem><para>Fix some incorrect encoding conversion functions</para>
<para><function>win1251_to_iso</>, <function>alt_to_iso</>,
<function>euc_tw_to_big5</>, <function>euc_tw_to_mic</>,
<function>mic_to_euc_tw</> were all broken to varying
extents.
</para></listitem>
<listitem><para>Clean up stray remaining uses of <literal>\'</> in strings
(Bruce, Jan)</para></listitem>
<listitem><para>Fix server to use custom DH SSL parameters correctly (Michael
Fuhr)</para></listitem>
<listitem><para>Fix various minor memory leaks</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1 id="release-7-3-14">
<sect1 id="release-7-3-14">
<title>Release 7.3.14</title>
<title>Release 7.3.14</title>
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
