1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
8
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
10
HREF="mailto:pgsql-docs@postgresql.org"><LINK
12
TITLE="PostgreSQL 9.1beta1 Documentation"
13
HREF="index.html"><LINK
16
HREF="release.html"><LINK
18
TITLE="Release 7.4.14"
19
HREF="release-7-4-14.html"><LINK
21
TITLE="Release 7.4.12"
22
HREF="release-7-4-12.html"><LINK
25
HREF="stylesheet.css"><META
26
HTTP-EQUIV="Content-Type"
27
CONTENT="text/html; charset=ISO-8859-1"><META
29
CONTENT="2011-04-27T21:20:33"></HEAD
35
SUMMARY="Header navigation table"
47
>PostgreSQL 9.1beta1 Documentation</A
56
TITLE="Release 7.4.14"
57
HREF="release-7-4-14.html"
74
>Appendix E. Release Notes</TD
89
TITLE="Release 7.4.12"
90
HREF="release-7-4-12.html"
104
NAME="RELEASE-7-4-13"
105
>E.122. Release 7.4.13</A
118
> This release contains a variety of fixes from 7.4.12,
119
including patches for extremely serious security issues.
120
For information about new features in the 7.4 major release, see
122
HREF="release-7-4.html"
132
>E.122.1. Migration to Version 7.4.13</A
135
> A dump/restore is not required for those running 7.4.X. However,
136
if you are upgrading from a version earlier than 7.4.11, see the release
140
> Full security against the SQL-injection attacks described in
141
CVE-2006-2313 and CVE-2006-2314 might require changes in application
142
code. If you have applications that embed untrustworthy strings
143
into SQL commands, you should examine them as soon as possible to
144
ensure that they are using recommended escaping techniques. In
145
most cases, applications should be using subroutines provided by
146
libraries or drivers (such as <SPAN
152
>PQescapeStringConn()</CODE
153
>) to perform string escaping,
154
rather than relying on <I
155
CLASS="FOREIGNPHRASE"
173
>Change the server to reject invalidly-encoded multibyte
174
characters in all cases (Tatsuo, Tom)</P
179
> has been moving in this direction for
180
some time, the checks are now applied uniformly to all encodings and all
181
textual input, and are now always errors not merely warnings. This change
182
defends against SQL-injection attacks of the type described in CVE-2006-2313.</P
186
>Reject unsafe uses of <TT
189
> in string literals</P
191
>As a server-side defense against SQL-injection attacks of the type
192
described in CVE-2006-2314, the server now only accepts <TT
199
> as a representation of ASCII single quote in SQL string
200
literals. By default, <TT
203
> is rejected only when
207
> is set to a client-only encoding (SJIS, BIG5, GBK,
208
GB18030, or UHC), which is the scenario in which SQL injection is possible.
209
A new configuration parameter <TT
213
adjust this behavior when needed. Note that full security against
214
CVE-2006-2314 might require client-side changes; the purpose of
218
> is in part to make it obvious that insecure
219
clients are insecure.</P
226
>'s string-escaping routines to be
227
aware of encoding considerations and
230
>standard_conforming_strings</TT
236
>-using applications for the security
237
issues described in CVE-2006-2313 and CVE-2006-2314, and also future-proofs
238
them against the planned changeover to SQL-standard string literal syntax.
239
Applications that use multiple <SPAN
243
concurrently should migrate to <CODE
245
>PQescapeStringConn()</CODE
249
>PQescapeByteaConn()</CODE
250
> to ensure that escaping is done correctly
251
for the settings in use in each database connection. Applications that
252
do string escaping <SPAN
255
> should be modified to rely on library
260
>Fix some incorrect encoding conversion functions</P
264
>win1251_to_iso</CODE
271
>euc_tw_to_big5</CODE
279
> were all broken to varying
284
>Clean up stray remaining uses of <TT
292
>Fix bug that sometimes caused OR'd index scans to
293
miss rows they should have returned</P
297
>Fix WAL replay for case where a btree index has been
305
> for patterns involving
313
>Fix server to use custom DH SSL parameters correctly (Michael
318
>Fix for Bonjour on Intel Macs (Ashley Clark)</P
322
>Fix various minor memory leaks</P
332
SUMMARY="Footer navigation table"
343
HREF="release-7-4-14.html"
361
HREF="release-7-4-12.html"
b'\\ No newline at end of file'