A major security issue fixed in this release, CVE-2013-1899, makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request.
Two lesser security fixes are also included in this release: CVE-2013-1900, wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess, and CVE-2013-1901, which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups. Finally, this release fixes two security issues with the graphical installers for Linux and Mac OS X: insecure passing of superuser passwords to a script, CVE-2013-1903 and the use of predictable filenames in /tmp CVE-2013-1902.
This release contains one major and a number of minor security fixes. It fixes a possible vulnerability to a denial-of-service attack by use of a carefully-crafted set of hash keys, a segmentation fault when reading or writing strings greater than 2^31 bytes in size, and a memory leak in Encode.xs's UTF-8 encoding implementation.
* There was a mistake in patches/patch-lib_functions.php, droping "ssha"
password type.
2012-10-01 Release 1.2.3 master RELEASE-1.2.3
2012-10-01 Update template to show multiselect values
2012-09-06 Language update from launchpad for 1.2.3 (also see #30)
2012-09-05 SF Bug #3531956 - Search / Show Attributes must be lowercase
2012-09-05 SF Bug #3518548 - Missing attributes on some custom forms
2012-09-05 SF Bug #3513210 - Export to VCARD only exports the last entry in the list
2012-09-05 SF Bug #3510648 - Cannot copy between servers
2012-09-05 SF Bug #3510114 - Unable to check passwords when samba hashes are in lowercase
2012-09-05 SF Bug #3452416 - templates <order> non-functional
2012-09-05 SF Bug #3427748 - value id is ignored in select attribute
2012-09-04 SF Bug #3448530 - Treat krbExtraData and krbPrincipalKe as binary
2012-09-02 SF Bug #3497660 - XSS flaws via 'export', 'add_value_form' and 'dn' variables
2012-09-02 SF Bug #3426575 - clicking 'logout' does not unset _SESSION['ACTIVITY']
2012-09-01 SF Feature #3555472 - User-friendly items in entry chooser window.
2012-09-01 SF Feature #3509651 - Add support for SHA512 with OpenLDAP
2012-08-29 SF Patch #3469148 - Display mass edit actions as buttons
2012-01-24 SF Bug #3477910 - XSS vulnerability in query
Changes from previous:
----------------------
0.002103 2012-12-23 17:42:36 CST6CDT
- Lazily load deps for autotable
- Remove HERE BE DRAGONS warning, this module is totally stable \o/
0.002102 2012-11-17 15:43:18 CST6CDT
- Put MetaYAML back in dist
* Fix for a bug in the ORDER BY optimizer that was introduced in version 3.7.15 which would sometimes optimize out the sorting step when in fact the sort was required. Ticket a179fe7465
* Fix a long-standing bug in the CAST expression that would recognize UTF16 characters as digits even if their most-significant-byte was not zero. Ticket 689137afb6da41.
* Fix a bug in the NEAR operator of FTS3 when applied to subfields. Ticket 38b1ae018f.
* Fix a long-standing bug in the storage engine that would (very rarely) cause a spurious report of an SQLITE_CORRUPT error but which was otherwise harmless. Ticket 6bfb98dfc0c.
* The SQLITE_OMIT_MERGE_SORT option has been removed. The merge sorter is now a required component of SQLite.
* Fixed lots of spelling errors in the source-code comments
- PEAR::isError() -> MDB2::isError(), Bug #19491.
- PEAR::loadExtension() -> extension_loaded(), Bug #19583.
- Fix Bug #19262. Updates conditional stagements to use logical operators to
include MDB2_FETCHMODE_OBJECT where appropriate. Was broken in r321197.
- Fixed createIndex not using quoteIdentifier in SQLite driver
- Have dropTable() return MDB2_OK on success, as documented (bug 19199)
- Have dropIndex() return MDB2_OK on success, as documented (bug 19198)
- Have vacuum() return MDB2_OK on success, as documented (bug 19196)
- Have createIndex() return MDB2_OK on success, as documented (bug 19195)
- Have dropConstraint() return MDB2_OK on success, as documented (bug 19194)
- Have createConstraint() return MDB2_OK on success, as documented (bug 19193)
- Have dropSequence() return MDB2_OK on success, as documented (bug 19191).
- FETCHMODE constants are NOT bitwise.
- fixed bug #18203: Type introspection breaks with associative arrays if names
are identical (patch by Peter Bex)
- request #18316: Add TINYINT to list of coltypes in
MDB2_Driver_Reverse_sqlite [brotherli]
- fixed bug #16275: split() is deprecated in PHP 5.3
- request #18316: Add TINYINT to list of coltypes in
MDB2_Driver_Reverse_sqlite [brotherli]
Changelog:
- Remove assignment by reference, Bug #19585.
- PEAR::isError() -> MDB2::isError(), Bug #19491.
- PEAR::loadExtension() -> extension_loaded(), Bug #19583.
- Fixed boolean type conversion for non-boolean types
- Fix Bug #19262. Updates conditional stagements to use logical operators to
include MDB2_FETCHMODE_OBJECT where appropriate. Was broken in r321197.
- Request #12931 Add cascading to dropTable?
- Have truncateTable() return MDB2_OK on success, as documented (bug 19201)
- Have vacuum() return MDB2_OK on success, as documented (bug 19196)
- Have dropConstraint() return MDB2_OK on success, as documented (bug 19194)
- Have createSequence() return MDB2_OK on success, as documented (bug 19192)
- Have dropSequence() return MDB2_OK on success, as documented (bug 19191).
- Make setOption('result_wrap_class') actually useful by changing the default
value of $result_wrap_class parameters from false to true.
- Have pgsql only read LOB from file if lob_allow_url_include (bringing it in
line with other drivers).
- FETCHMODE constants are NOT bitwise.
- fixed bug #18203: Type introspection breaks with associative arrays if names
are identical (patch by Peter Bex)
- fixed bug #17890: Improper use of array_search in prepare function
[fletcherj]
- fixed bug #17890: Improper use of array_search in prepare function
[fletcherj]
open todo items:
- enable pg_execute() once issues with bytea column are resolved
- use pg_result_error_field() to handle localized error messages (Request
#7059)
- add option to use unnamed prepared statements (see
http://www.postgresql.org/docs/current/static/protocol-flow.html
"Extended Query")
Changelog:
- Make varchar_max_length property public, Bug #19582.
- Revert 327099 by afz, caused "Notice: Undefined index: charset on line 1003"
- PEAR::isError() -> MDB2::isError(), Bug #19491.
- PEAR::loadExtension() -> extension_loaded(), Bug #19583.
- max value for VARCHAR is 65535 but if used multi-bytes (UTF8) so it is 21844, because UTF8 string takes 3bytes
- Fix Bug #19262. Updates conditional stagements to use logical operators to
include MDB2_FETCHMODE_OBJECT where appropriate. Was broken in r321197.
- Have truncateTable() return MDB2_OK on success, as documented (bug 19201)
- Have alterTable() return MDB2_OK on success, as documented (bug 19200)
- Have dropIndex() return MDB2_OK on success, as documented (bug 19198)
- Have vacuum() return MDB2_OK on success, as documented (bug 19196)
- Have createIndex() return MDB2_OK on success, as documented (bug 19195)
- Have dropConstraint() return MDB2_OK on success, as documented (bug 19194)
- Have dropSequence() return MDB2_OK on success, as documented (bug 19191).
- Make setOption('result_wrap_class') actually useful by changing the default
value of $result_wrap_class parameters from false to true.
- Obtain error information in _doQuery() because standaloneQuery() throws off
$this->connection.
- FETCHMODE constants are NOT bitwise.
- Make $sql_comments public (was before, used in tests, no real harm).
- Property visibility
- boolean data type
- fixed bug #17984: Error is not reported when mysqli_stmt_bind_param() fails
[dennylin93]
- fixed bug #18057: Result of getDeclaration() can have invalid syntax
[hschletz]
- request #18068: mapNativeDatatype() returns decimal places also for 'float'
mdb2type
- fixed bug #18203: Type introspection breaks with associative arrays if names
are identical (patch by Peter Bex)
- fixed bug #17892: removed debug message [pdt256]
- fixed bug #17892: removed debug message [pdt256]
- fixed bug #17984: Error is not reported when mysqli_stmt_bind_param() fails
[dennylin93]
- fixed bug #18057: Result of getDeclaration() can have invalid syntax
[hschletz]
- request #18068: mapNativeDatatype() returns decimal places also for 'float'
mdb2type
open todo items:
- use a trigger to emulate setting default now()
Changelog:
- Make varchar_max_length property public, Bug #19582.
- Revert 327099 by afz, caused "Notice: Undefined index: charset on line 1003"
- PEAR::isError() -> MDB2::isError(), Bug #19491.
- PEAR::loadExtension() -> extension_loaded(), Bug #19583.
- max value for VARCHAR is 65535 but if used multi-bytes (UTF8) so it is 21844,
because UTF8 string takes 3bytes
- Fix Bug #19262. Updates conditional stagements to use logical operators to
include MDB2_FETCHMODE_OBJECT where appropriate. Was broken in r321197.
- Have truncateTable() return MDB2_OK on success, as documented (bug 19201)
- Have alterTable() return MDB2_OK on success, as documented (bug 19200)
- Have dropIndex() return MDB2_OK on success, as documented (bug 19198)
- Have vacuum() return MDB2_OK on success, as documented (bug 19196)
- Have createIndex() return MDB2_OK on success, as documented (bug 19195)
- Have dropConstraint() return MDB2_OK on success, as documented (bug 19194)
- Have dropSequence() return MDB2_OK on success, as documented (bug 19191).
- Make setOption('result_wrap_class') actually useful by changing the default
value of $result_wrap_class parameters from false to true.
- Obtain error information in _doQuery() because standaloneQuery() throws off
$this->connection.
- FETCHMODE constants are NOT bitwise.
- Make $sql_comments public (was before, used in tests, no real harm).
- Property visibility
- boolean data type
- fixed bug #17984: Error is not reported when mysqli_stmt_bind_param() fails
[dennylin93]
- fixed bug #18057: Result of getDeclaration() can have invalid syntax
[hschletz]
- request #18068: mapNativeDatatype() returns decimal places also for 'float'
mdb2type
- fixed bug #18203: Type introspection breaks with associative arrays if names
are identical (patch by Peter Bex)
- fixed bug #17892: removed debug message [pdt256]
- fixed bug #18057: Result of getDeclaration() can have invalid syntax
[hschletz]
- request #18068: mapNativeDatatype() returns decimal places also for 'float'
mdb2type
open todo items:
- use a trigger to emulate setting default now()
shared-mime-info 1.1 (2012-02-13)
* Mime-type changes:
- Add application/x-ccmx
- Add zz-application/zz-winassoc-* aliases
- Make application/x-xz-compressed-tar a subclass of application/x-xz
- Add DTS and DTS-HD mime-types
- Add test for PPM bug
- Fix comment and add glob for application/pkcs7-mime
- Add application/x-qtiplot mime-type
- Add AMZ (AmazonMP3 Download File) mime-type
- Add separate mime-type for Apple broken PNGs
- Add *.mk and *.mak text/x-makefile globs
- Match application/vnd.palm to IANA standard
- Use IANA registered application/gzip instead of x-gzip
- Add application/gml+xml
- Fix Scream Tracker instrument magic
- Add application/x-gtk-builder type
- Add magic for v1 and v2 XCF files
- Add LZMA test file
- Fix some globs for OGG files
- Move *.taz from application/x-compressed-tar to application/x-tarz
- Add some sub-class-of tags for compressed files
- Add *.tb2 as a glob for application/x-bzip-compressed-tar
- Add support for DOS EPS files
- Add *.ar archives to the test suite
- Add xlr mime-type
- Add application/vnd.lotus-wordpro
- Put bz2 patterns before bz ones for bzip-related mimetypes
- Add simple magic for text/x-gettext-translation-template
- Add test case for application/x-gettext-translation
- Add mime-type for source RPMs
- Add AMR audio test
- Add test case for TTF fonts
- Add Woff font mime-type
- Add FLTK acronym
- Add application/ics as an alias for text/calendar
- Add RAR acronym
- Add dicomdir glob
- Add *.di as a glob for D source files
- Add magic for MNG animations
- Add magic for PICT v2 images
- Add JNLP file to the test suite
- Add support for the AVF AVI container variant
- Add EMF and WMF aliases
- Improve magic of uncompressed TGA files
- Add application/winhlp
- Add text/x-uuencode
- Add MHTML mime-type
- Make the main docbook mime-type be application/x-docbook+xml
- Add application/x-lzh-compressed as alias to application/x-lha
- Add IFF super-type
- Split off the AAC mime-type from the M4A one
- Add text/x-modelica mime-type
- Add magic for GNU gettext message catalogs (.mo)
* Specification changes:
- Fix mimetype names used as examples
- Document that the first extension is the main one
- Fix missing plural
* Honor NOCONFIGURE=1
* Allow builders to not run make check by default
* Fix build for platforms with executable extensions
* Disable checks when cross compiling
* Use non-installed update-mime-database in install-data-hook
* Use native update-mime-database for install when cross compiling
* Add a local-test target to print mime info
Add a patch from upstream to avoid segfaulting on null PQ options.
- 0.45 | 2013-03-10
- support for "make installcheck"
This does "make check" at its core, so the same env vars apply.
Obviously, you should do "make install" first for sane results.
- bootstrap tools upgraded
- GNU Autoconf 2.69
- GNU Automake 1.13.1
- Guile-BAUX 20121120.1242.e233fad
- SNUGGLE 0.2
- GNU Texinfo 5.0
=== 3.45.0 (2013-03-01)
* Remove bad model typecasting of money type on PostgreSQL (jeremyevans) (#624)
* Use simplecov instead of rcov for coverage testing on 1.9+ (jeremyevans)
* Make the Database#quote_identifier method public (jeremyevans)
* Make PostgreSQL metadata parsing handle tables with the same name in
multiple schemas (jeremyevans)
* Switch query extension to use a proxy instead of Object#extend (chanks,
jeremyevans)
* Remove Dataset#def_mutiation_method instance method (jeremyevans)
* Make foreign key parsing on MySQL not pick up foreign keys in other
databases (jeremyevans)
* Allow per-instance overrides of Postgres.force_standard_strings and
.client_min_messages (jeremyevans) (#618)
* Add Sequel.tzinfo_disambiguator= to the named_timezones plugin for
automatically handling TZInfo::AmbiguousTime exceptions (jeremyevans) (#616)
* Add Dataset#escape_like, for escaping LIKE metacharacters (jeremyevans)
(#614)
* The LIKE operators now use an explicit ESCAPE '\' clause for similar
behavior across databases (jeremyevans)
* Make Database#tables and #views accept a :qualify option on PostgreSQL to
return qualified identifiers (jeremyevans)
* Make json_serializer and xml_serializer plugins secure by default
(jeremyevans)
* Address JSON.parse vulnerabilities (jeremyevans)
* Fix Dataset#from_self! to no longer create a self-referential dataset
(jeremyevans)
* Use SQLSTATE or database error codes if available instead of regexp parsing
for more specific DatabaseErrors (jeremyevans)
* Add unlimited_update plugin to work around MySQL warning in replicated
environments (jeremyevans)
* Add the :retry_on and :num_retries transaction options for automatically
retrying transactions (jeremyevans)
* Raise serialization failures/deadlocks as Sequel::SerializationFailure
exceptions (jeremyevans)
* Support transaction isolation levels on Oracle and DB2 (jeremyevans)
* Support transaction isolation levels when using the JDBC transaction support
(jeremyevans)
Changes in 1.2.1:
* Fixed CVE-2012-5641: Apache CouchDB Information disclosure via unescaped
backslashes in URLs on Windows
* Fixed CVE-2012-5649: Apache CouchDB JSONP arbitrary code execution with Adobe
Flash
* Fixed CVE-2012-5650: Apache CouchDB DOM based Cross-Site Scripting via Futon
UI
* Fix various bugs in the URL rewriter when recursion is involved.
* Fix couchdb start script.
* Futon: Disable buttons that aren't available for the logged-in user.
* Fix potential replication timeouts.
* Change use of signals to avoid broken view groups.
This extension provides an ODBC v3 driver for PDO. It supports unixODBC
and IBM DB2 libraries, and will support more in future releases.
In pkgsrc we only support unixODBC currently.
* Take MAINTAINERship, ok by schmonz@.
* Libtoolized.
* Fix typo in variable name.
* Set LICENSE as public-domain.
Changelog:
tinycdb-0.78 2012-05-11
- bugfix release:
o fixed >2Gb file size prob on 32bit platform
o fixed handling of files >=4Gb
o fixed a few compiler warnings
- introduce $(LD) and $(LDFLAGS), and also $(CDEFS) in Makefile
