E.258. Release 8.0.15

Prevent functions in indexes from executing with the privileges of the user running VACUUM , ANALYZE , etc (Tom)

Functions used in index expressions and partial-index predicates are evaluated whenever a new table entry is made. It has long been understood that this poses a risk of trojan-horse code execution if one modifies a table owned by an untrustworthy user. (Note that triggers, defaults, check constraints, etc. pose the same type of risk.) But functions in indexes pose extra danger because they will be executed by routine maintenance operations such as VACUUM FULL , which are commonly performed automatically under a superuser account. For example, a nefarious user can execute code with superuser privileges by setting up a trojan-horse index definition and waiting for the next routine vacuum. The fix arranges for standard maintenance operations (including VACUUM , ANALYZE , REINDEX , and CLUSTER ) to execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. (CVE-2007-6600)

Repair assorted bugs in the regular-expression package (Tom, Will Drewry)

Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)

Require non-superusers who use /contrib/dblink to use only password authentication, as a security measure (Joe)

The fix that appeared for this in 8.0.14 was incomplete, as it plugged the hole for only some dblink functions. (CVE-2007-6601, CVE-2007-3278)

Update time zone data files to tzdata release 2007k (in particular, recent Argentina changes) (Tom)

Fix planner failure in some cases of WHERE false AND var IN (SELECT ...) (Tom)

Preserve the tablespace of indexes that are rebuilt by ALTER TABLE ... ALTER COLUMN TYPE (Tom)

Make archive recovery always start a new WAL timeline, rather than only when a recovery stop time was used (Simon)

This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner than the original definition.

Make VACUUM not use all of maintenance_work_mem when the table is too small for it to be useful (Alvaro)

Fix potential crash in translate() when using a multibyte database encoding (Tom)

Fix PL/Perl to cope when platform's Perl defines type bool as int rather than char (Tom)

While this could theoretically happen anywhere, no standard build of Perl did things this way ... until macOS 10.5.

Fix PL/Python to not crash on long exception messages (Alvaro)

Fix pg_dump to correctly handle inheritance child tables that have default expressions different from their parent's (Tom)

ecpg parser fixes (Michael)

Make contrib/tablefunc 's crosstab() handle NULL rowid as a category in its own right, rather than crashing (Joe)

Fix tsvector and tsquery output routines to escape backslashes correctly (Teodor, Bruce)

Fix crash of to_tsvector() on huge input strings (Teodor)

Require a specific version of Autoconf to be used when re-generating the configure script (Peter)

This affects developers and packagers only. The change was made to prevent accidental use of untested combinations of Autoconf and PostgreSQL versions. You can remove the version check if you really want to use a different Autoconf version, but it's your responsibility whether the result works or not.