diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml index 5e49bbc5c76..e8e2bcdb9f2 100644 --- a/doc/src/sgml/release.sgml +++ b/doc/src/sgml/release.sgml @@ -1,9 +1,121 @@ Release Notes + + + Release 8.0.8 + + + Release date + 2006-05-23 + + + + This release contains a variety of fixes from 8.0.7, + including patches for extremely serious security issues. + + + + Migration to version 8.0.8 + + + A dump/restore is not required for those running 8.0.X. However, + if you are upgrading from a version earlier than 8.0.6, see the release + notes for 8.0.6. + + + + Full security against the SQL-injection attacks described in + CVE-2006-2313 and CVE-2006-2314 may require changes in application + code. If you have applications that embed untrustworthy strings + into SQL commands, you should examine them as soon as possible to + ensure that they are using recommended escaping techniques. In + most cases, applications should be using subroutines provided by + libraries or drivers (such as libpq's + PQescapeStringConn()) to perform string escaping, + rather than relying on ad hoc code to do it. + + + + + Changes + + +Change the server to reject invalidly-encoded multibyte +characters in all cases (Tatsuo, Tom) +While PostgreSQL has been moving in this direction for +some time, the checks are now applied uniformly to all encodings and all +textual input, and are now always errors not merely warnings. This change +defends against SQL-injection attacks of the type described in CVE-2006-2313. + + +Reject unsafe uses of \' in string literals +As a server-side defense against SQL-injection attacks of the type +described in CVE-2006-2314, the server now only accepts '' and not +\' as a representation of ASCII single quote in SQL string +literals. By default, \' is rejected only when +client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, +GB18030, or UHC), which is the scenario in which SQL injection is possible. +A new configuration parameter backslash_quote is available to +adjust this behavior when needed. Note that full security against +CVE-2006-2314 may require client-side changes; the purpose of +backslash_quote is in part to make it obvious that insecure +clients are insecure. + + +Modify libpq's string-escaping routines to be +aware of encoding considerations and +standard_conforming_strings +This fixes libpq-using applications for the security +issues described in CVE-2006-2313 and CVE-2006-2314, and also future-proofs +them against the planned changeover to SQL-standard string literal syntax. +Applications that use multiple PostgreSQL connections +concurrently should migrate to PQescapeStringConn() and +PQescapeByteaConn() to ensure that escaping is done correctly +for the settings in use in each database connection. Applications that +do string escaping by hand should be modified to rely on library +routines instead. + + +Fix some incorrect encoding conversion functions +win1251_to_iso, alt_to_iso, +euc_tw_to_big5, euc_tw_to_mic, +mic_to_euc_tw were all broken to varying +extents. + + +Clean up stray remaining uses of \' in strings +(Bruce, Jan) + +Fix bug that sometimes caused OR'd index scans to +miss rows they should have returned + +Fix WAL replay for case where a btree index has been +truncated + +Fix SIMILAR TO for patterns involving +| (Tom) + +Fix SELECT INTO and CREATE TABLE AS to +create tables in the default tablespace, not the base directory (Kris +Jurka) + +Fix server to use custom DH SSL parameters correctly (Michael +Fuhr) + +Fix for Bonjour on Intel Macs (Ashley Clark) + +Fix various minor memory leaks + +Fix problem with password prompting on some Win32 systems +(Robert Kinberg) + + + + Release 8.0.7 @@ -3045,6 +3157,111 @@ typedefs (Michael) + + + Release 7.4.13 + + + Release date + 2006-05-23 + + + + This release contains a variety of fixes from 7.4.12, + including patches for extremely serious security issues. + + + + Migration to version 7.4.13 + + + A dump/restore is not required for those running 7.4.X. However, + if you are upgrading from a version earlier than 7.4.11, see the release + notes for 7.4.11. + + + + Full security against the SQL-injection attacks described in + CVE-2006-2313 and CVE-2006-2314 may require changes in application + code. If you have applications that embed untrustworthy strings + into SQL commands, you should examine them as soon as possible to + ensure that they are using recommended escaping techniques. In + most cases, applications should be using subroutines provided by + libraries or drivers (such as libpq's + PQescapeStringConn()) to perform string escaping, + rather than relying on ad hoc code to do it. + + + + + Changes + + +Change the server to reject invalidly-encoded multibyte +characters in all cases (Tatsuo, Tom) +While PostgreSQL has been moving in this direction for +some time, the checks are now applied uniformly to all encodings and all +textual input, and are now always errors not merely warnings. This change +defends against SQL-injection attacks of the type described in CVE-2006-2313. + + +Reject unsafe uses of \' in string literals +As a server-side defense against SQL-injection attacks of the type +described in CVE-2006-2314, the server now only accepts '' and not +\' as a representation of ASCII single quote in SQL string +literals. By default, \' is rejected only when +client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, +GB18030, or UHC), which is the scenario in which SQL injection is possible. +A new configuration parameter backslash_quote is available to +adjust this behavior when needed. Note that full security against +CVE-2006-2314 may require client-side changes; the purpose of +backslash_quote is in part to make it obvious that insecure +clients are insecure. + + +Modify libpq's string-escaping routines to be +aware of encoding considerations and +standard_conforming_strings +This fixes libpq-using applications for the security +issues described in CVE-2006-2313 and CVE-2006-2314, and also future-proofs +them against the planned changeover to SQL-standard string literal syntax. +Applications that use multiple PostgreSQL connections +concurrently should migrate to PQescapeStringConn() and +PQescapeByteaConn() to ensure that escaping is done correctly +for the settings in use in each database connection. Applications that +do string escaping by hand should be modified to rely on library +routines instead. + + +Fix some incorrect encoding conversion functions +win1251_to_iso, alt_to_iso, +euc_tw_to_big5, euc_tw_to_mic, +mic_to_euc_tw were all broken to varying +extents. + + +Clean up stray remaining uses of \' in strings +(Bruce, Jan) + +Fix bug that sometimes caused OR'd index scans to +miss rows they should have returned + +Fix WAL replay for case where a btree index has been +truncated + +Fix SIMILAR TO for patterns involving +| (Tom) + +Fix server to use custom DH SSL parameters correctly (Michael +Fuhr) + +Fix for Bonjour on Intel Macs (Ashley Clark) + +Fix various minor memory leaks + + + + Release 7.4.12 @@ -5854,6 +6071,98 @@ DROP SCHEMA information_schema CASCADE; + + + Release 7.3.15 + + + Release date + 2006-05-23 + + + + This release contains a variety of fixes from 7.3.14, + including patches for extremely serious security issues. + + + + Migration to version 7.3.15 + + + A dump/restore is not required for those running 7.3.X. However, + if you are upgrading from a version earlier than 7.3.13, see the release + notes for 7.3.13. + + + + Full security against the SQL-injection attacks described in + CVE-2006-2313 and CVE-2006-2314 may require changes in application + code. If you have applications that embed untrustworthy strings + into SQL commands, you should examine them as soon as possible to + ensure that they are using recommended escaping techniques. In + most cases, applications should be using subroutines provided by + libraries or drivers (such as libpq's + PQescapeStringConn()) to perform string escaping, + rather than relying on ad hoc code to do it. + + + + + Changes + + +Change the server to reject invalidly-encoded multibyte +characters in all cases (Tatsuo, Tom) +While PostgreSQL has been moving in this direction for +some time, the checks are now applied uniformly to all encodings and all +textual input, and are now always errors not merely warnings. This change +defends against SQL-injection attacks of the type described in CVE-2006-2313. + + +Reject unsafe uses of \' in string literals +As a server-side defense against SQL-injection attacks of the type +described in CVE-2006-2314, the server now only accepts '' and not +\' as a representation of ASCII single quote in SQL string +literals. By default, \' is rejected only when +client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, +GB18030, or UHC), which is the scenario in which SQL injection is possible. +A new configuration parameter backslash_quote is available to +adjust this behavior when needed. Note that full security against +CVE-2006-2314 may require client-side changes; the purpose of +backslash_quote is in part to make it obvious that insecure +clients are insecure. + + +Modify libpq's string-escaping routines to be +aware of encoding considerations +This fixes libpq-using applications for the security +issues described in CVE-2006-2313 and CVE-2006-2314. +Applications that use multiple PostgreSQL connections +concurrently should migrate to PQescapeStringConn() and +PQescapeByteaConn() to ensure that escaping is done correctly +for the settings in use in each database connection. Applications that +do string escaping by hand should be modified to rely on library +routines instead. + + +Fix some incorrect encoding conversion functions +win1251_to_iso, alt_to_iso, +euc_tw_to_big5, euc_tw_to_mic, +mic_to_euc_tw were all broken to varying +extents. + + +Clean up stray remaining uses of \' in strings +(Bruce, Jan) + +Fix server to use custom DH SSL parameters correctly (Michael +Fuhr) + +Fix various minor memory leaks + + + + Release 7.3.14