From: Tom Lane Date: Sun, 21 May 2006 21:50:14 +0000 (+0000) Subject: Update release notes for upcoming releases. X-Git-Tag: REL7_3_15~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=78e237e1e378b24dad13b36d84e37eb10f64b6a7;p=postgresql Update release notes for upcoming releases. --- diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml index 2ce52f6276..bbd4605f81 100644 --- a/doc/src/sgml/release.sgml +++ b/doc/src/sgml/release.sgml @@ -1,9 +1,101 @@ Release Notes + + + Release 7.3.15 + + + Release date + 2006-05-23 + + + + This release contains a variety of fixes from 7.3.14, + including patches for extremely serious security issues. + + + + Migration to version 7.3.15 + + + A dump/restore is not required for those running 7.3.X. However, + if you are upgrading from a version earlier than 7.3.13, see the release + notes for 7.3.13. + + + + Full security against the SQL-injection attacks described in + CVE-2006-2313 and CVE-2006-2314 may require changes in application + code. If you have applications that embed untrustworthy strings + into SQL commands, you should examine them as soon as possible to + ensure that they are using recommended escaping techniques. In + most cases, applications should be using subroutines provided by + libraries or drivers (such as libpq's + PQescapeStringConn()) to perform string escaping, + rather than relying on ad hoc code to do it. + + + + + Changes + + +Change the server to reject invalidly-encoded multibyte +characters in all cases (Tatsuo, Tom) +While PostgreSQL has been moving in this direction for +some time, the checks are now applied uniformly to all encodings and all +textual input, and are now always errors not merely warnings. This change +defends against SQL-injection attacks of the type described in CVE-2006-2313. + + +Reject unsafe uses of \' in string literals +As a server-side defense against SQL-injection attacks of the type +described in CVE-2006-2314, the server now only accepts '' and not +\' as a representation of ASCII single quote in SQL string +literals. By default, \' is rejected only when +client_encoding is set to a client-only encoding (SJIS, BIG5, GBK, +GB18030, or UHC), which is the scenario in which SQL injection is possible. +A new configuration parameter backslash_quote is available to +adjust this behavior when needed. Note that full security against +CVE-2006-2314 may require client-side changes; the purpose of +backslash_quote is in part to make it obvious that insecure +clients are insecure. + + +Modify libpq's string-escaping routines to be +aware of encoding considerations +This fixes libpq-using applications for the security +issues described in CVE-2006-2313 and CVE-2006-2314. +Applications that use multiple PostgreSQL connections +concurrently should migrate to PQescapeStringConn() and +PQescapeByteaConn() to ensure that escaping is done correctly +for the settings in use in each database connection. Applications that +do string escaping by hand should be modified to rely on library +routines instead. + + +Fix some incorrect encoding conversion functions +win1251_to_iso, alt_to_iso, +euc_tw_to_big5, euc_tw_to_mic, +mic_to_euc_tw were all broken to varying +extents. + + +Clean up stray remaining uses of \' in strings +(Bruce, Jan) + +Fix server to use custom DH SSL parameters correctly (Michael +Fuhr) + +Fix various minor memory leaks + + + + Release 7.3.14