Er zijn updates verschenen van PostgreSQL uit de 9.4-, 9.3-, 9.2-, 9.1- en 9.0-serie. Dit populaire 'opensource relational database management system' draait op een groot aantal besturingssystemen en is daardoor uitstekend inzetbaar in diverse omgevingen. Het is een afgeleide van Ingres, nadat de hoofdontwikkelaar daarvan voor zichzelf is begonnen en deze database van opensource closedsource werd. De release notes voor deze bugfix-uitgave kunnen hieronder worden gevonden.
This update fixes multiple security issues reported in PostgreSQL over the past few months. All of these issues require prior authentication, and some require additional conditions, and as such are not considered generally urgent. However, users should examine the list of security holes patched below in case they are particularly vulnerable.
This update also fixes the previously reported problem that, during regression testing on Windows, the test postmaster process was vulnerable to unauthorized connections. This vulnerability was fixed on non-Windows platforms in the prior update releases.
- CVE-2015-0241 Buffer overruns in "to_char" functions.
- CVE-2015-0242 Buffer overrun in replacement printf family of functions.
- CVE-2015-0243 Memory errors in functions in the pgcrypto extension.
- CVE-2015-0244 An error in extended protocol message reading.
- CVE-2014-8161 Constraint violation errors can cause display of values in columns which the user would not normally have rights to see.
More information about these issues, as well as older patched issues, is available on the PostgreSQL Security Page.
JSON and JSONB Unicode Escapes
The handling of Unicode escape strings for JSON and JSONB in PostgreSQL 9.4.0 has been changed in a way which may break compatibility for some users. To fix some inconsistencies, type JSONB no longer accepts the escape sequence "\u0000". Type JSON accepts "\u0000" only in contexts where it does not need to be converted to de-escaped form. See the release notes for more detail.
Other Fixes and Improvements
In addition to the above, more than 60 reported issues have been fixed in this cumulative update release. Some of them affect only version 9.4, but many of them fix problems present in older versions. These fixes include:
In addition to the fixes above, the following contrib modules and extensions have had bugs fixed in this release: pg_upgrade, auto_explain, hstore, pageinspect, pgcrypto, pg_test_fsync, tablefunc, and xml2. Also, multiple functions across several contrib modules have been modified with the correct level of volatility. There are also multiple cleanup fixes based on minor issues found by the Coverity Scan static analyzer.
- Cope with the non-ASCII Norwegian Windows locale name.
- Avoid data corruption when databases are moved to new tablespaces and back again.
- Ensure that UNLOGGED tables are correctly copied during ALTER DATABASE operations.
- Avoid deadlocks when locking recently modified rows.
- Fix two SELECT FOR UPDATE query issues.
- Prevent false negative for shortest-first regular expression matches.
- Fix false positives and negatives in tsquery contains operator.
- Fix namespace handling in xpath().
- Prevent row-producing functions from creating empty column names.
- Make autovacuum use per-table cost_limit and cost_delay settings.
- When autovacuum=off, limit autovacuum work to wraparound prevention only.
- Multiple fixes for logical decoding in 9.4.
- Fix transient errors on hot standby queries due to page replacement.
- Prevent duplicate WAL file archiving at end of recovery or standby promotion.
- Prevent deadlock in parallel restore of schema-only dump.
This update also contains many changes to PostgreSQL's timezone files. This includes an update to tzdata release 2015a, with updates to Chile, Mexico, Caicos Islands, and Fiji. PostgreSQL now takes date into account when assigning an offset based on a timezone abbreviation for historically changeable timezones. We have also done a general cleanup on timezone abbreviations, and added "CST" as an abbreviation for China Standard Time.