Release date: 2008-01-07
This release contains a variety of fixes from 7.4.18, including fixes for significant security issues. For information about new features in the 7.4 major release, see Section E.305.
A dump/restore is not required for those running 7.4.X. However, if you are upgrading from a version earlier than 7.4.11, see Section E.294.
Prevent functions in indexes from executing with the privileges of
the user running VACUUM
, ANALYZE
, etc (Tom)
Functions used in index expressions and partial-index
predicates are evaluated whenever a new table entry is made. It has
long been understood that this poses a risk of trojan-horse code
execution if one modifies a table owned by an untrustworthy user.
(Note that triggers, defaults, check constraints, etc. pose the
same type of risk.) But functions in indexes pose extra danger
because they will be executed by routine maintenance operations
such as VACUUM FULL
, which are commonly performed
automatically under a superuser account. For example, a nefarious user
can execute code with superuser privileges by setting up a
trojan-horse index definition and waiting for the next routine vacuum.
The fix arranges for standard maintenance operations
(including VACUUM
, ANALYZE
, REINDEX
,
and CLUSTER
) to execute as the table owner rather than
the calling user, using the same privilege-switching mechanism already
used for SECURITY DEFINER
functions. To prevent bypassing
this security measure, execution of SET SESSION
AUTHORIZATION
and SET ROLE
is now forbidden within a
SECURITY DEFINER
context. (CVE-2007-6600)
Repair assorted bugs in the regular-expression package (Tom, Will Drewry)
Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)
Require non-superusers who use /contrib/dblink
to use only
password authentication, as a security measure (Joe)
The fix that appeared for this in 7.4.18 was incomplete, as it plugged
the hole for only some dblink
functions. (CVE-2007-6601,
CVE-2007-3278)
Fix planner failure in some cases of WHERE false AND var IN
(SELECT ...)
(Tom)
Fix potential crash in translate()
when using a multibyte
database encoding (Tom)
Fix PL/Python to not crash on long exception messages (Alvaro)
ecpg parser fixes (Michael)
Make contrib/tablefunc
's crosstab()
handle
NULL rowid as a category in its own right, rather than crashing (Joe)
Fix tsvector
and tsquery
output routines to
escape backslashes correctly (Teodor, Bruce)
Fix crash of to_tsvector()
on huge input strings (Teodor)
Require a specific version of Autoconf to be used
when re-generating the configure
script (Peter)
This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.