In order to address a recent security report from iDefence, we have
released 3 new "point" releases: 7.2.6, 7.3.8 and 7.4.6

Although rated only a Medium risk, according to their web site: "A
vulnerability exists due to the insecure creation of temporary files,
which could possibly let a malicious user overwrite arbitrary files."

Also in these releases is a potential 'data loss' bug that was recently
identified:

* Repair possible failure to update hint bits on disk

Under rare circumstances this oversight could lead to "could not
access transaction status" failures, which qualifies it as a
potential-data-loss bug.

Although not yet available via Bittorrent, these releases are available
through ftp at all of the mirrors, and Devrim is currently working on RPMs
for the various releases, which should be available soon.

For a listing of all currently available FTP mirrors, please see:

http://www.postgresql.org/mirrors-ftp.html


----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy (AT) hub (DOT) org Yahoo!: yscrappy ICQ: 7615664

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo (AT) postgresql (DOT) org)

Marc G. Fournier wrote:
Assuming you're referring to the make_oidjoins_check bug, I don't think
it is accurate to bill these as "security releases". As the 7.4.6
release notes plainly state:

---
# Avoid using temp files in /tmp in make_oidjoins_check

This has been reported as a security issue, though it's hardly worthy of
concern since there is no reason for non-developers to use this script
anyway.
---

That said, the fix for the clog bug is reason enough to make the point
releases, and reason enough for users to upgrade.

-Neil

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo (AT) postgresql (DOT) org

Neil Conway <neilc (AT) samurai (DOT) com> writes:
He's not. There were two other recent security reports, which core kept
to ourselves until the release could be made. The other issues were
only marginally more serious than make_oidjoins_check, but worth fixing
now given that the hint-bit bug was forcing a release anyway.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 9: the planner will ignore your desire to choose an index scan if your
joining column's datatypes do not match

On Mon, 2004-10-25 at 00:43, Tom Lane wrote:
Ah, ok -- fair enough. Are those additional security fixes mentioned in
the release notes?

-Neil



---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Neil Conway <neilc (AT) samurai (DOT) com> writes:
Yes, or at least the one that affected PG proper (pg_ctl as root).
The other was a bug in the RPM init script.

I just realized that Devrim wasn't in the loop on that, so he'll
probably have to rebuild the PGDG RPMs :-(

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings