Security Fixes for RLS, BRIN
----------------------------
This release closes security hole CVE-2016-2193
(https://access.redhat.com/security/cve/CVE-2016-2193), where a query plan
might get reused for more than one ROLE in the same session. This could cause
the wrong set of Row Level Security (RLS) policies to be used for the query.
The update also fixes CVE-2016-3065
(https://access.redhat.com/security/cve/CVE-2016-3065), a server crash bug
triggered by using `pageinspect` with BRIN index pages. Since an attacker
might be able to expose a few bytes of server memory, this crash is being
treated as a security issue.
Abbreviated Keys and Corrupt Indexes
------------------------------------
In this release, the PostgreSQL Project has been forced to disable 9.5's
Abbreviated Keys performance feature for many indexes due to reports of index
corruption. This may affect any B-tree indexes on TEXT, VARCHAR, and CHAR
columns which are not in "C" locale. Indexes in other locales will lose the
performance benefits of the feature, and should be REINDEXed in case of
existing index corruption. The feature may be re-enabled in future versions if
the project finds a solution for the problem. See the release notes, and the
wiki page on this issue for more information:
http://wiki.postgresql.org/abbreviatedkeys_issue
URL: http://www.postgresql.org/about/news/1656/
URL: http://wiki.postgresql.org/abbreviatedkeys_issue
Security: CVE-2016-2193
Security: CVE-2016-3065
Security Fixes for Regular Expressions, PL/Java
This release closes security hole CVE-2016-0773, an issue with regular
expression (regex) parsing. Prior code allowed users to pass in expressions
which included out-of-range Unicode characters, triggering a backend crash.
This issue is critical for PostgreSQL systems with untrusted users or which
generate regexes based on user input.
The update also fixes CVE-2016-0766, a privilege escalation issue for users of
PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be
modifiable only by the database superuser
URL: http://www.postgresql.org/about/news/1644/
Security: CVE-2016-0773, CVE-2016-0766
pg_upgrade. Other where added in 9.5, but the port failed to install them.
Make sure they are properly installed by the correct port (-client or -server) [1]
Remove unused and hence confusing OSSP_UUID parameters from Makefile [2]
Add options to allow user to be set for the backup script in periodic.
Add this option only to 9.5 for now. It will be updated to other servers at
next regular patch release. [3]
The path to perl in hard coded into pgxs/src/Makefile.global which is
then installed. Hence, we must depend on perl when that file is installed.
Noticed by: Paul Guyot [1]
PR: 192387 [2]
PR: 172110 [3]
PR: 206046 [4]
