E.295. Release 7.3.21
Release date: 2008-01-07
This release contains a variety of fixes from 7.3.20, including fixes for significant security issues.
This is expected to be the last PostgreSQL release in the 7.3.X series. Users are encouraged to update to a newer release branch soon.
E.295.1. Migration to Version 7.3.21
A dump/restore is not required for those running 7.3.X. However, if you are upgrading from a version earlier than 7.3.13, see Section E.303 .
E.295.2. Changes
-
Prevent functions in indexes from executing with the privileges of the user running
VACUUM
,ANALYZE
, etc (Tom)Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as
VACUUM FULL
, which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (includingVACUUM
,ANALYZE
,REINDEX
, andCLUSTER
) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used forSECURITY DEFINER
functions. To prevent bypassing this security measure, execution ofSET SESSION AUTHORIZATION
andSET ROLE
is now forbidden within aSECURITY DEFINER
context. (CVE-2007-6600) -
Require non-superusers who use
/contrib/dblink
to use only password authentication, as a security measure (Joe)The fix that appeared for this in 7.3.20 was incomplete, as it plugged the hole for only some
dblink
functions. (CVE-2007-6601, CVE-2007-3278) -
Fix potential crash in
translate()
when using a multibyte database encoding (Tom) -
Make
contrib/tablefunc
'scrosstab()
handle NULL rowid as a category in its own right, rather than crashing (Joe) -
Require a specific version of Autoconf to be used when re-generating the
configure
script (Peter)This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.