SECURITY ISSUES
One security vulnerability has been closed by this release:
CVE-2018-1115: Too-permissive access control list on function pg_logfile_rotate()
Please see the "Updating" section below for post-update steps.
BUG FIXES AND IMPROVEMENTS
This update also fixes over 50 bugs reported in the last several months. Some of these issues affect only version 10, but many affect all supported versions.
These fixes include:
Fix incorrect volatility and parallel-safety markings on several built-in functions to ensure correct query planning optimizations
Several fixes for partitioning, including potential crashes as well as allowing TRUE and FALSE to be used as partition bounds
Fix where a new TOAST value could be assigned to a dead-but-not-yet-vacuumed TOAST OID, which would result in an error similar to "unexpected chunk number 0 (expected 1) for toast value nnnnn"
Fix "CREATE TABLE ... LIKE" with bigint identity columns on 32-bit platforms
Fix memory leak within the runtime of a query that repeatedly executes hash joins
Several crash fixes around queries using GROUPING SET
Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction
Reduce locking during autovacuum worker scheduling, which prevents loss of potential worker concurrency
Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY
Several fixes around query plans that use "index-only" scans
Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation
Several fixes for SP-GiST indexes, including one collation-aware searches on text columns
Fixes related to counting the number of tuples in partial GiST, SP-GiST, and Bloom indexes
Several fixes for logical decoding and replication
Fix misquoting of values for list-valued GUC variables (e.g. local_preload_libraries, session_preload_libraries, shared_preload_libraries, temp_tablespaces) in dumps
Several fixes for pg_stat_activity
Several fixes for ecpg
Fix for pg_recvlogical to ensure compatibility with PostgreSQL versions released before 10
Several fixes for pg_rewind
1.22.2:
* Include the Negator when reverse engineering SQL for operators
* Fix the psql plugin command on OSX to work more reliably
* Prevent a crash in some situtions where the database connection is lost and needs to be reset.
* Fix display of elapsed query time for queries running longer than 1 hour
1.22.1:
* Don't barf when connecting to Greenplum or Greenplum HAWQ
* Fix selection of conversion functions in the CREATE CONVERSION dialogue
* Properly quote type names in the Type dialogue, and ensure range information is displayed for existing types
Notable changes since 1.0.0:
- RSQLite has been rewritten (essentially from scratch) in C++ with
Rcpp.
- You can now use SQLite’s URL specification for databases.
- Queries, query parameters and table data are always converted to
UTF-8 before being sent to the database.
- New strategy for prepared queries. Create a prepared query with
dbSendQuery() or dbSendStatement() and bind values with dbBind().
- dbSendQuery(), dbGetQuery(), dbSendStatement() and dbExecute() also
support inline parameterised queries.
- Improve column type inference.
- dbFetch() uses the same row name strategy as dbReadTable().
- dbColumnInfo() will now return information even before you’ve
retrieved any data.
- New sqliteVersion() prints the header and library versions of
RSQLite.
- Deprecation warnings are given only once, with a clear reference to
the source.
- datasetsDb() now returns a read-only database, to avoid
modifications to the installed file.
- Values of class "integer64" are now supported for dbWriteTable() and
dbBind().
- New connections now automatically load default RSQLite extensions.
- Implement dbUnquoteIdentifier().
=== 5.8.0 (2018-05-01)
* Don't mark SQLAnywhere as supporting WITH in INSERT statement (jeremyevans)
* Support :search_path as a shard option on PostgreSQL (jeremyevans)
* Add Dataset#nowait for raising a Sequel::DatabaseLockTimeout when a locked row is encountered, supported on PostgreSQL, MySQL 8+, MSSQL, and Oracle (jeremyevans)
* Support Dataset#skip_locked on MySQL 8+ (jeremyevans)
* Make schema modification methods in the pg_enum extension work on a frozen Database object (jeremyevans)
* Support common table expressions and window functions on MySQL 8+ (jeremyevans)
* Ignore Dataset#explain :extended option on MySQL 5.7+, since extended output is then the MySQL default (jeremyevans)
* Work around REGEXP BINARY not working correctly on MySQL 8+ by using REGEXP_LIKE with the 'c' match_type (jeremyevans)
* Force correct column order in Database#foreign_key_list on MySQL (jeremyevans)
* Add ConnectionPool#connection_expiration_random_delay to connection_expiration extension, to avoid thundering herd if preallocating connections (hex2a, jeremyevans) (#1503)
* Emit deprecation warning in association_proxies plugin if using #filter on an association proxy, since behavior will change on ruby 2.6+ (utilum) (#1497)
* Handle multiple add_constraint calls and a set_column_null call in the same alter_table block on SQLite (jeremyevans) (#1498)
* Add Database#rename_enum to the pg_enum extension (AlexWayfer) (#1495)
* Make tactical_eager_loading plugin respect the :allow_eager association option (jeremyevans) (#1494)
* Add pg_auto_constraint_validations plugin, for automatically converting constraint violations to validation failures on PostgreSQL (jeremyevans)
* Don't make Model#_valid? public in the error_splitter plugin (jeremyevans)
* Support Database#indexes :include_partial option on PostgreSQL for including partial indexes (jeremyevans)
* Include more diagnostic information in Database#error_info on PostgreSQL (jeremyevans)
* Support Database#foreign_key_list :reverse option on PostgreSQL for parsing foreign key constraints that reference a given table (jeremyevans)
* Add Database#check_constraints on PostgreSQL for parsing CHECK constraints (jeremyevans)
* Don't use identity columns if :serial=>true or :type=>:serial|:bigserial column options are used (#1490) (jeremyevans)
* Cache Dataset#select_all datasets if no arguments are given (jeremyevans)
* Cache Dataset#returning datasets if no arguments are given (jeremyevans)
* Cache Dataset#qualify datasets if no argument is given (jeremyevans)
* Cache Dataset#lateral datasets (jeremyevans)
* Cache Dataset#from_self datasets if no options are given (jeremyevans)
* Cache Dataset#distinct datasets if no arguments or block is given (jeremyevans)
=== 5.7.0 (2018-04-01)
* Add Sequel.start_timer and .elapsed_seconds_since for more accurate elapsed time calculations on ruby 2.1+ (jeremyevans)
* Run Dataset#with_sql_{all,each,first,single_value} using a cached dataset to avoid clobbering the dataset's columns (jeremyevans)
* Add Database#convert_serial_to_identity on PostgreSQL 10.2+, which requires superuser access (jeremyevans)
* Fix Database#server_version when connecting to PostgreSQL 10.1+ in certain cases (jeremyevans)
* Free temporary clobs in the jdbc/oracle adapter to prevent a memory leak (jeremyevans) (#1482)
* Treat prepared statement errors due to changing types as disconnect errors in the postgres adapter (jeremyevans) (#1481)
* Add integer64 extension for treating Integer as a 64-bit integer when used as a generic type (jeremyevans)
* Allow many_to_pg_array remove_all_* method cast appropriately to work correctly for non-integer types (jeremyevans)
* Fix array_type for pg_array_to_many and many_to_pg_array associations in pg_array_associations plugin (jeremyevans)
* Use identity columns instead of serial columns for primary keys on PostgreSQL 10.2+ (jeremyevans)
* Support :identity option when creating columns on PostgreSQL 10+ to create identity columns (jeremyevans)
* Add Dataset#overriding_{system,user}_value on PostgreSQL for use with PostgreSQL 10+ identity columns (jeremyevans)
* Set :auto_increment schema entry correctly for PostgreSQL 10+ identity columns (jeremyevans)
0.5.1 (2018/04/11)
New Features
* None
Bug Fixes
* Fix with --with-mysql-dir (#952)
* Prevent command out of sync errors with Prepared Statements (#956, #957, #958)
Changes
* Specs: Use the prepared statement performance schema if available (#960)
* README mysql2 0.5.x works with Rails 5.0.7, 5.1.6, and higher
* README be sure to read about the known limitations of prepared statements
Wed Feb 28 2018 version 0.99999 released
* update to compile with newer Ruby releases, thanks
Lars Kanis for patch
* added ODBC::Database.login_timeout to get/set the
SQL_LOGIN_TIMEOUT connection attribute
Wed Feb 15 2017 version 0.99998 released
* minor update to compile with Ruby 2.4, thangs to Kevin Deisz
* preset output vars before SQLColAttributes() call
patch-ab no longer needed just since 15 Jan 2018(!)
5 years worth of changes including:
- C++11 is now required. Your compiler must have shared_ptr, noexcept, etc.
- Removed pqxx::items. Use the new C++11 initialiser syntax.
- Removed maketemporary. We weren't using it.
- Can now be built outside the source tree.
- New, simpler, lambda-friendly transactor framework.
- New, simpler, prepared statements and parameterised statements.
- Result rows can be passed around independently.
- New exec0(): perform query, expect zero rows of data.
- New exec1(): perform query, expect (and return) a single row of data.
- New exec_n(): perform query, expect exactly n rows of data.
- No longer defines Visual Studio's NOMINMAX in headers.
- Much faster configure script.
- Most configuration items are gone.
- Retired all existing capability flags.
- Documentation on readthedocs.org, thanks Tim Sheerman-Chase.
- Expose SQLSTATE error codes in sql_error exceptions.
- Adds a first-generation parser for SQL arrays.
Changes in MySQL 5.7.22:
Deprecation and Removal Notes
These compatibility SQL modes are now deprecated and will be removed in MySQL 8.0: DB2, MAXDB, MSSQL, MYSQL323, MYSQL40, ORACLE, POSTGRESQL, NO_FIELD_OPTIONS, NO_KEY_OPTIONS, NO_TABLE_OPTIONS. These deprecations have two implications:
Assigning a deprecated mode to the sql_mode system variable produces a warning.
With the MAXDB SQL mode enabled, using CREATE TABLE or ALTER TABLE to add a TIMESTAMP column to a table produces a warning.
Statements that use these deprecated SQL modes may fail when replicated from a MySQL 5.7 master to a MySQL 8.0 slave, or may have different effects on master and slave. To avoid such problems, applications that use the modes deprecated in MySQL 5.7 should be revised not to use them.
Test Suite Notes
Reduction of compiler and platform differences in GIS handling of floating-point results enables simplification of related test cases that no longer need rounding to avoid spurious test failures.
X Plugin Notes
X Plugin connection attempts using the X Protocol did not return an error when the default database specified in the connection options was invalid, and the connection was allowed with a null default database. Connection attempts using the classic MySQL protocol did return an error and disallowed the connection. X Protocol connection attempts now also disallow the connection if an invalid schema is specified.
Functionality Added or Changed
Replication: Changes introduced in version 8 which enable XCom to identify members using the concept of an incarnation have been merged in to version 5.7. These underlying changes add a UUID to members each time they join a group and this information can be used to distinguish among different member incarnations.
Replication: It is now possible to specify whether information written into the binary log enables replication slaves to parallelize based on commit timestamps, or on transaction write sets.
JSON: The JSON_MERGE() function is renamed to JSON_MERGE_PRESERVE().
JSON: Added the JSON utility function JSON_PRETTY(), which prints an existing JSON value, or any string that can successfully be parsed as a JSON document, in a format that can be easily read by humans. Each JSON object member or array value is displayed on a separate line of the output; each child object or array is intended 2 spaces with respect to its parent.
Bugs Fixed
Version 5.0.5 (2018-04-25)
------------------------------
- This version officially supports the new PostgreSQL 10.
- The memory for the string with the number of rows affected by a classic pg
module query() was already freed (bug report and fix by Peifeng Qiu).
Ok OWNER.
- Fixed long-standing bug in 3.x regarding using column aliases with
queries that utilize the ModelCursorWrapper (typically queries with
one or more joins).
- Fix typo in model metadata code, thanks @klen.
- Add examples of using recursive CTEs to docs.
5.26.2:
Security
[CVE-2018-6797] heap-buffer-overflow (WRITE of size 1) in S_regatom (regcomp.c)
A crafted regular expression could cause a heap buffer write overflow, with control over the bytes written.
[CVE-2018-6798] Heap-buffer-overflow in Perl__byte_dump_string (utf8.c)
Matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure.
[CVE-2018-6913] heap-buffer-overflow in S_pack_rec
pack() could cause a heap buffer write overflow with a large item count.
Assertion failure in Perl__core_swash_init (utf8.c)
Control characters in a supposed Unicode property name could cause perl to crash. This has been fixed.
Updated Modules and Pragmata
Module::CoreList has been upgraded from version 5.20170922_26 to 5.20180414_26.
PerlIO::via has been upgraded from version 0.16 to 0.17.
Term::ReadLine has been upgraded from version 1.16 to 1.17.
Unicode::UCD has been upgraded from version 0.68 to 0.69.
Selected Bug Fixes
The readpipe() built-in function now checks at compile time that it has only one parameter expression, and puts it in scalar context, thus ensuring that it doesn't corrupt the stack at runtime.
Fixed a use after free bug in pp_list introduced in Perl 5.27.1.
Parsing a sub definition could cause a use after free if the sub keyword was followed by whitespace including newlines (and comments).
The tokenizer now correctly adjusts a parse pointer when skipping whitespace in an ${identifier} construct.
Accesses to ${^LAST_FH} no longer assert after using any of a variety of I/O operations on a non-glob.
sort now performs correct reference counting when aliasing $a and $b, thus avoiding premature destruction and leakage of scalars if they are re-aliased during execution of the sort comparator.
Some convoluted kinds of regexp no longer cause an arithmetic overflow when compiled.
Fixed a duplicate symbol failure with -flto -mieee-fp builds. pp.c defined _LIB_VERSION which -lieee already defines.
A NULL pointer dereference in the S_regmatch() function has been fixed.
Failures while compiling code within other constructs, such as with string interpolation and the right part of s///e now cause compilation to abort earlier.
- Added support for SQLite's new ON CONFLICT clause, which is modelled
on the syntax used by Postgresql and will be available in SQLite
3.24.0 and onward.
- Added better support for using common table expressions and a
cleaner way of implementing recursive CTEs, both of which are also
tested with integration tests (as opposed to just checking the
generated SQL).
- Modernized the CI environment to utilize the latest MariaDB
features, so we can test window functions and CTEs with MySQL (when
available).
- Reorganized and unified the feature-flags in the test suite.
- Added ValuesList for representing values lists.
- DateTimeField, DateField and TimeField will parse formatted-string
before sending to the database. Previously this only occurred when
reading values from the database.
- Smarter handling of model-graph when dealing with compound queries
(union, intersect, etc).
- If the same column-name is selected multiple times, first value
wins.
- If ModelSelect.switch() is called without any arguments, default to
the query's model.
- Fix issue where cloning a ModelSelect query did not result in the
joins being cloned.
=== Bug fixes
Engine::
- Harden periodically check to avoid endless flush loop
Ingest::
- Don't allow referencing the pattern bank name in the pattern bank
Java High Level REST Client::
- Bulk processor#awaitClose to close scheduler
Java Low Level REST Client::
- REST client: hosts marked dead for the first time should not be
immediately retried
Network::
- Cross-cluster search and default connections can get crossed
Percolator::
- Fixed bug when non percolator docs end up in the search hits
- Fixed a msm accounting error that can occur during analyzing a
percolator query
- Fix more query extraction bugs.
- Fix some query extraction bugs.
Plugins::
- Plugins: Fix native controller confirmation for non-meta plugin
Search::
- Propagate ignore_unmapped to inner_hits
Settings::
- Archive unknown or invalid settings on updates
3.14.0
======
Features
--------
- Add one() function to the ResultSet API
- Create an utility function to fetch concurrently many keys from the
same replica
- Allow filter queries with fields that have an index managed outside
of cqlengine
- Twisted SSL Support
- Support IS NOT NULL operator in cqlengine
Other
-----
- Fix Broken Links in Docs
- Reevaluate MONKEY_PATCH_LOOP in test codebase
- Remove CASS_SERVER_VERSION and replace it for CASSANDRA_VERSION in
tests
- Refactor CASSANDRA_VERSION to a some kind of version object
- Log warning when driver configures an authenticator, but server does
not request authentication
- Warn users when using the deprecated
Session.default_consistency_level
- Add DSE smoke test to OSS driver tests
- Document long compilation times and workarounds
- Improve error for batch WriteTimeouts
- Deprecate ResultSet indexing
3.13.0
======
Features
--------
- cqlengine: LIKE filter operator
- Support cassandra.query.BatchType with cqlengine BatchQuery
Bug Fixes
---------
- AttributeError: 'NoneType' object has no attribute 'add_timer'
- Support retry_policy in PreparedStatement
- __del__ method in Session is throwing an exception
- LZ4 import issue with recent versions
- ResponseFuture._connection can be None when returning request_id
- ResultSet.was_applied doesn't support batch with LWT statements
Other
-----
- cqlengine: avoid warning when unregistering connection on shutdown
- Fix DeprecationWarning of log.warn
- Fix example_mapper.py for python3
- Possible deadlock on cassandra.concurrent.execute_concurrent
- Add some known deprecated warnings for 4.x
- Remove copyright dates from copyright notices
- Remove "Experimental" tag from execution profiles documentation
- request_timer metrics descriptions are slightly incorrect
- Remove "Experimental" tag from cqlengine connections documentation
- Set in documentation default consistency for operations is LOCAL_ONE
2.5:
- abstract layer now handles auxiliary classes
- pwdLAstSet in AD is valid for 0 and -1
- fixed extend.novell.get_universal_password
- entryUUID is properly validated in search filters
- custom attribute formatters are properly applied when parsing the search filter
- REUSABLE strategy now honours credentials when changed in the original connection
- add operation doesn't change passed attribute dict anymore
- missing entry's attribute return False when searching instead of raising an exception
- fixed ad_timestamp evaluation for integers
- wrong exception raised when user name is empty in simple binding
- exception is raised if size limit is exceed when searchin in mocking strategies with raise_exceptions=True
- fixed validator for novell guid
- fixed validator for openldap EntryUUID
- fixed validator for AD objectGUID, now follows MS-DTYP
- fixed formatter for AD objectGUID
- fixed exception when adding binary values
- added escape_rdn_chars() to ldap3.utils.dn for safe checking untrusted input while building DNs
- fixed search for binary values in mock strategies
- fixed exception with unicode chars in subfilters for python 2
- connection.extend.paged_search() doens't miss the last entries anymore when size limit is exceeded for the search on the server
- validators are not applied when loading data from json dump in Mock strategies
- additional validator to check for erroneous bytes to string conversion in Python 3
- additional formatter and validator to check for generalizedtime with 0 year
- added ADDITIONAL_CLIENT_ENCODINGS parameter
- fixed AD dir_sync extended operation
- ad_unlock_account works properly
- added Microsoft security descriptor control
- fixed search in mock strategies when raise_exceptions=True
- formatters never raise exceptions but returns the raw_value when unable to format
- fixed comtrols duplication in paged search
- pwiz tool will capture column defaults defined as part of the
table schema.
- Fixed a misleading error message.
- Ensure reuse_if_open parameter has effect on pooled databases.
- Added support for on update/delete when migrating foreign-key.
- Fixed bug in SQL generation for subqueries in aliased functions.
SQLiteC++ offers an encapsulation arround the native C APIs of SQLite,
with a few intuitive and well documented C++ class. It is designed
using the Resource Acquisition Is Initialization (RAII) idom, and
throwing exceptions in case of SQLite errors (exept in destructors,
where assert() are used instead). Each SQLiteC++ object must be
constructed with a valid SQLite database connection, and then is
always valid until destroyed.
2.3.6:
Single bug fix that ws a possible security issue so I have pushed a version out.
Fix order of arguments in SQLWriteFileDSN.c, fix unwanted free() in iusql.c
Add pkg-config files
SQLite Release 3.23.1:
Fix two problems in the new LEFT JOIN strength reduction optimization.
Fix misbehavior of the FTS5 xBestIndex method.
Fix a harmless reference to an uninitialized virtual machine register.
Fix the CLI so that it builds with -DSQLITE_UNTESTABLE
Fix the eval.c extension so that it works with PRAGMA empty_result_callbacks=ON.
Fix the generate_series virtual table so that it correctly returns no rows if any of its constraints are NULL.
Performance enhancements in the parser.
- Compatibility with Sphinx 1.7.0
- Ensure a change stream uses the proper session id while iterating
- Fix a rare crash in pooled mode when a replica set member was
disconnected
Upstream changes:
1.58 2018-03-28
- Switched to a production version.
1.57_01 2018-03-21
- Made it an error to fetch attributes from a statement
handle whose database handle is inactive (ribasushi++)
6.2.0
------------------
- cleanup for SSL Context
- Add X-Pack clients to -py
- Adding Gzip support for capacity constrained networks
- ``_routing`` in bulk action has been deprecated in ES. Introduces a
breaking change if you use ``routing`` as a field in your documents.
6.1.1
------------------
- Updates to SSLContext logic to make it easier to use and have saner
defaults.
- Doc updates
6.1.0
------------------
- Bad release
=== Enhancements
Highlighting::
- Limit analyzed text for highlighting (improvements)
Recovery::
- Require translogUUID when reading global checkpoint
=== Bug fixes
Core::
- Remove special handling for _all in nodes info
Engine::
- Avoid class cast exception from index writer
- Maybe die before failing engine
- Never block on key in `LiveVersionMap#pruneTombstones`
Ingest::
- Continue registering pipelines after one pipeline parse failure.
Java High Level REST Client::
- REST high-level client: encode path parts
Packaging::
- Delay path expansion on Windows
Percolator::
- Fix percolator query analysis for function_score query
- Improved percolator's random candidate query duel test
Snapshot/Restore::
- Fix NPE when using deprecated Azure settings
Stats::
- Fix AdaptiveSelectionStats serialization bug
