  reSQL 全球开发组今天发布了全系的安全更新版本,包括:9.1.4, 9.0.8, 8.4.12 and 8.3.19.如果你使用了 pg_crypto 模块中的 crypt(text,text) 函数用于 DES 加密的话,那你应该立即更新到最新版本。其中 9.1 版本修复的 bug 包括:

  Fix citext upgrade script for collations of citext arrays and domains over citext

  Fixes for timezone handling

  Fix text or char to name casts to perform string truncation correctly in multibyte encodings

  Fix memory copying bug in to_tsquery()
Ensure txid_current() reports the correct epoch when executed in hot standby

  Fix planner’s handling of sub-SELECTS referencing variables coming from the nullable side of an outer join of the surrounding query

  Fix planning of UNION ALL subqueries with output columns that are not simple variables

  Fix slow session startup when pg_attribute is very large
Ensure sequential scans check for query cancel reasonably often

  Show whole-row variables safely when printing views or rules

  Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding

  Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses

  Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks

  Fix bugs with temporary or transient tables used in extension scripts

  Ensure autovacuum worker processes perform stack depth checking properly

  Fix logging collector to not lose log coherency under high load

  Fix logging collector to ensure it will restart file rotation after receiving SIGHUP

  Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped
Avoid synchronous replication delay when committing a transaction that only modified temporary tables


  CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function

  CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler

  这个漏洞会直接导致服务器挂机,而且影响到所有的 PostgreSQL 版本。关于此漏洞的更详细描述请看发行说明。下载地址:http://www.postgresql.org/download/(来自红黑联盟)
