Le projet PostgreSQL va publier une mise à jour de sécurité le jeudi 4 avril pour toutes les versions supportées. Cette publication incluera un correctif pour une vulnérabilité très exposée. Tous les utilisateurs sont fortement poussés à appliquer la mise à jour aussitôt que possible : http://www.postgresql.org/about/news/1454/
Page en français : http://blog.postgresql.fr/index.php?post/2013/04/02/Mise-%C3%A0-jour-importante-%C3%A0-pr%C3%A9voir-le-4-avril-!

Offres d'emplois autour de PostgreSQL en mars

PostgreSQL Local

  • PGCon 2013 aura lieu les 23 & 24 mai 2013 à l'Université d'Ottawa : http://www.pgcon.org/2013/
  • La 6ème conférence annuelle "Prague PostgreSQL Developers Day", organisée par le CSPUG (Groupe des utilisateurs tchèques et slovaques de PostgreSQL), aura lieu le 30 mai 2013 à la Faculté des Sciences Mathématiques & Physiques de l'Université Charles (Malostranske namesti 25, Prague). Les candidatures des conférenciers sont attendues jusqu'au 14 avril à l'adresse <info AT p2d2 POINT cz>. D'avantage d'informations sur le site : http://www.p2d2.cz/
  • Le PgDay Fr est l'événement majeur de la communauté francophone. Il aura lieu le 13 juin 2013 à Nantes (France) : http://pgday.fr/
  • The CfPs for Char(13) and PGday UK, July 11 and 12, 2013, respectively, are out and close April 19, 2013. For Char(13), write speakers AT char13 DOT info; for PGday UK, speakers AT postgresqlusergroup DOT org DOT uk.
  • PostgreSQL Brazil aura lieu du 15 au 17 août 2013 à Porto Velho, État du Rondônia au Brésil : http://pgbr.postgresql.org.br/2013/chamada.en.php
  • Notez la date ! Postgres Open 2013 aura lieu à Chicago (Illinois, USA) du 16 au 18 septembre. Hotel Sax : https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=888761&hotelID=6865 Early Bird registration: http://postgresopen-eac2.eventbrite.com/

PostgreSQL dans les média

PostgreSQL Weekly News / les nouvelles hebdomadaires vous sont offertes cette semaine par David Fetter. Traduction par l'équipe PostgreSQLFr sous licence CC BY-NC-SA.

Proposez vos articles ou annonces avant dimanche 15:00 (heure du Pacifique). Merci de les envoyer en anglais à david (a) fetter.org, en allemand à pwn (a) pgug.de, en italien à pwn (a) itpug.org et en espagnol à pwn (a) arpug.com.ar.

(lien vers l'article original)

Correctifs appliqués

Heikki Linnakangas a poussé :

  • Add missing #include. time(2) requires time.h. http://git.postgresql.org/pg/commitdiff/4eefd0f86b6ce2e657c566fe40301930ab31eddd
  • In base backup, only include our own tablespace version directory. If you have clusters of different versions pointing to the same tablespace location, we would incorrectly include all the data belonging to the other versions, too. Fixes bug #7986, reported by Sergey Burladyan. http://git.postgresql.org/pg/commitdiff/28ba260906c87ffbda42f93d867191f491025a04
  • Make pg_basebackup work with pre-9.3 servers, and add server version check. A new 'starttli' field was added to the response of BASE_BACKUP command. Make pg_basebackup tolerate the case that it's missing, so that it still works with older servers. Add an explicit check for the server version, so that you get a nicer error message if you try to use it with a pre-9.1 server. The streaming protocol message format changed in 9.3, so -X stream still won't work with pre-9.3 servers. I added a version check to ReceiveXLogStream() earlier, but write that slightly differently, so that in 9.4, it will still work with a 9.3 server. (In 9.4, the error message needs to be adjusted to "9.3 or above", though). Also, if the version check fails, don't retry. http://git.postgresql.org/pg/commitdiff/d298b50a3b469c088bb40a4d36d38111b4cd574d
  • Add PF_PRINTF_ATTRIBUTE to on_exit_msg_fmt. Per warning from -Wmissing-format-attribute. http://git.postgresql.org/pg/commitdiff/ea988ee8c8b191615e730f930bcde6144a598688
  • Get rid of obsolete parse_version helper function. For getting the server's version in numeric form, use PQserverVersion(). It does the exact same parsing as dumputils.c's parse_version(), and has been around in libpq for a long time. For the client's version, just use the PG_VERSION_NUM constant. http://git.postgresql.org/pg/commitdiff/901b89e37bb8e71224ee76987679010ff3c93c05
  • Fix pg_dump against 9.1/9.2 servers. The parallel pg_dump patch forgot to add relpages column to 9.1/9.2 version of the getTables() query. Reported by Bernd Helmle. http://git.postgresql.org/pg/commitdiff/625b237f79ec59369e6083f041649adf4fdc1080
  • Move some pg_dump function around. Move functions used only by pg_dump and pg_restore from dumputils.c to a new file, pg_backup_utils.c. dumputils.c is linked into psql and some programs in bin/scripts, so it seems good to keep it slim. The parallel functionality is moved to parallel.c, as is exit_horribly, because the interesting code in exit_horribly is parallel-related. This refactoring gets rid of the on_exit_msg_func function pointer. It was problematic, because a modern gcc version with -Wmissing-format-attribute complained if it wasn't marked with PF_PRINTF_ATTRIBUTE, but the ancient gcc version that Tom Lane's old HP-UX box has didn't accept that attribute on a function pointer, and gave an error. We still use a similar function pointer trick for getLocalPQBuffer() function, to use a thread-local version of that in parallel mode on Windows, but that dodges the problem because it doesn't take printf-like arguments. http://git.postgresql.org/pg/commitdiff/7800a71291690dcc34eb3b7aab18750b5a7ebe2c
  • Fix buffer pin leak in heap update redo routine. In a heap update, if the old and new tuple were on different pages, and the new page no longer existed (because it was subsequently truncated away by vacuum), heap_xlog_update forgot to release the pin on the old buffer. This bug was introduced by the "Fix multiple problems in WAL replay" patch, commit 3bbf668de9f1bc172371681e80a4e769b6d014c8 (on master branch). With full_page_writes=off, this triggered an "incorrect local pin count" error later in replay, if the old page was vacuumed. This fixes bug #7969, reported by Yunong Xiao. Backpatch to 9.0, like the commit that introduced this bug. http://git.postgresql.org/pg/commitdiff/3cfb572dde2095df1bfc6665862dcf8ee0a95b99

Andrew Dunstan a poussé :

  • Fix a small logic bug in adjusted parallel restore code. http://git.postgresql.org/pg/commitdiff/ec143f94051779bb5d07419723529b4cc4fcce95
  • Add new JSON processing functions and parser API. The JSON parser is converted into a recursive descent parser, and exposed for use by other modules such as extensions. The API provides hooks for all the significant parser event such as the beginning and end of objects and arrays, and providing functions to handle these hooks allows for fairly simple construction of a wide variety of JSON processing functions. A set of new basic processing functions and operators is also added, which use this API, including operations to extract array elements, object fields, get the length of arrays and the set of keys of a field, deconstruct an object into a set of key/value pairs, and create records from JSON objects and arrays of objects. Catalog version bumped. Andrew Dunstan, with some documentation assistance from Merlin Moncure. http://git.postgresql.org/pg/commitdiff/a570c98d7fa0841f17bbf51d62d02d9e493c7fcc
  • Fix page title for JSON Functions and Operators. http://git.postgresql.org/pg/commitdiff/6caf759f3f34eb496f4a92c3db9d3289299066b9
  • Avoid moving data directory in upgrade testing. Windows sometimes gets upset if we rename a large directory and then try to use the old name quickly, as seen in occasional buildfarm failures. So we avoid that by building the old version in the intended destination in the first place instead of renaming it, similar to the change made for the same reason in commit b7f8465c. http://git.postgresql.org/pg/commitdiff/67eb3e5075b52bb9d91dc3bd9358ac1da2ded5fc

Tom Lane a poussé :

  • Ignore invalid indexes in pg_dump. Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. Back-patch to all active versions, and teach them to ignore invalid indexes in servers back to 8.2, where the concept was introduced. Michael Paquier http://git.postgresql.org/pg/commitdiff/683abc73dff549e94555d4020dae8d02f32ed78b
  • Fix grammatical errors in some new message strings. Daniele Varrazzo http://git.postgresql.org/pg/commitdiff/f7f210b5c4c9c76e87fffc5abef7dea752d1ac9a
  • Reset OpenSSL randomness state in each postmaster child process. Previously, if the postmaster initialized OpenSSL's PRNG (which it will do when ssl=on in postgresql.conf), the same pseudo-random state would be inherited by each forked child process. The problem is masked to a considerable extent if the incoming connection uses SSL encryption, but when it does not, identical pseudo-random state is made available to functions like contrib/pgcrypto. The process's PID does get mixed into any requested random output, but on most systems that still only results in 32K or so distinct random sequences available across all Postgres sessions. This might allow an attacker who has database access to guess the results of "secure" operations happening in another session. To fix, forcibly reset the PRNG after fork(). Each child process that has need for random numbers from OpenSSL's generator will thereby be forced to go through OpenSSL's normal initialization sequence, which should provide much greater variability of the sequences. There are other ways we might do this that would be slightly cheaper, but this approach seems the most future-proof against SSL-related code changes. This has been assigned CVE-2013-1900, but since the issue and the patch have already been publicized on pgsql-hackers, there's no point in trying to hide this commit. Back-patch to all supported branches. Marko Kreen http://git.postgresql.org/pg/commitdiff/0d1ecd6300191a450978ca2fcd12bbbb7c5e65e6
  • Avoid "variable might be clobbered by longjmp" warning. On older-model gcc, the original coding of UTILITY_BEGIN_QUERY() can draw this error because of multiple assignments to _needCleanup. Rather than mark that variable volatile, we can suppress the warning by arranging to have just one unconditional assignment before PG_TRY. http://git.postgresql.org/pg/commitdiff/58bc48179b3cad0793ae20b002d60289c8bf0b9b
  • Update time zone data files to tzdata release 2013b. DST law changes in Chile, Haiti, Morocco, Paraguay, some Russian areas. Historical corrections for numerous places. http://git.postgresql.org/pg/commitdiff/ae7f1c3ef2eef9584e3c9a42c395eb0c0e59a5ed
  • Draft release notes for 9.2.4, 9.1.9, 9.0.13, 8.4.17. Covers commits through today. Not back-patching into back branches yet, since this is just for people to review in advance. http://git.postgresql.org/pg/commitdiff/29505a894e1ece60bf42a2756ae99c9e44b5ae6a
  • Must check indisready not just indisvalid when dumping from 9.2 server. 9.2 uses a kluge representation of "indislive"; we have to account for that when examining pg_index. Simplest solution is to check indisready for 9.0 and 9.1 as well; that's harmless though unnecessary, so it's not worth making a version distinction for. Fixes oversight in commit 683abc73dff549e94555d4020dae8d02f32ed78b, as noted by Andres Freund. http://git.postgresql.org/pg/commitdiff/aa02864f64c46807f7682a41882fe40f7f5cb819
  • Document encode(bytea, 'escape')'s behavior correctly. I changed this in commit fd15dba543247eb1ce879d22632b9fdb4c230831, but missed the fact that the SGML documentation of the function specified exactly what it did. Well, one of the two places where it's specified documented that --- probably I looked at the other place and thought nothing needed to be done. Sync the two places where encode() and decode() are described. http://git.postgresql.org/pg/commitdiff/9ad27c215362df436f8c16f1aace923011f31be4
  • Improve code documentation about "magnetic disk" storage manager. The modern incarnation of md.c is by no means specific to magnetic disk technology, but every so often we hear from someone who's misled by the label. Try to clarify that it will work for anything that supports standard filesystem operations. Per suggestion from Andrew Dunstan. http://git.postgresql.org/pg/commitdiff/22f7b9613e5a60bc3daca35f87f546baa9fd934c
  • Ignore extra subquery outputs in set_subquery_size_estimates(). In commit 0f61d4dd1b4f95832dcd81c9688dac56fd6b5687, I added code to copy up column width estimates for each column of a subquery. That code supposed that the subquery couldn't have any output columns that didn't correspond to known columns of the current query level --- which is true when a query is parsed from scratch, but the assumption fails when planning a view that depends on another view that's been redefined (adding output columns) since the upper view was made. This results in an assertion failure or even a crash, as per bug #8025 from lindebg. Remove the Assert and instead skip the column if its resno is out of the expected range. http://git.postgresql.org/pg/commitdiff/d931ac0ec4c25b61f480562a13f1974f913afd59
  • Update release notes for changes through today. http://git.postgresql.org/pg/commitdiff/e48a7bd527481556f7068832331ef6b00805920b

Robert Haas a poussé :

Simon Riggs a poussé :

Kevin Grittner a poussé :

Alvaro Herrera a poussé :

  • Add sql_drop event for event triggers. This event takes place just before ddl_command_end, and is fired if and only if at least one object has been dropped by the command. (For instance, DROP TABLE IF EXISTS of a table that does not in fact exist will not lead to such a trigger firing). Commands that drop multiple objects (such as DROP SCHEMA or DROP OWNED BY) will cause a single event to fire. Some firings might be surprising, such as ALTER TABLE DROP COLUMN. The trigger is fired after the drop has taken place, because that has been deemed the safest design, to avoid exposing possibly-inconsistent internal state (system catalogs as well as current transaction) to the user function code. This means that careful tracking of object identification is required during the object removal phase. Like other currently existing events, there is support for tag filtering. To support the new event, add a new pg_event_trigger_dropped_objects() set-returning function, which returns a set of rows comprising the objects affected by the command. This is to be used within the user function code, and is mostly modelled after the recently introduced pg_identify_object() function. Catalog version bumped due to the new function. Dimitri Fontaine and Álvaro Herrera Review by Robert Haas, Tom Lane http://git.postgresql.org/pg/commitdiff/473ab40c8bb3fcb1a7645f6a7443a0424d70fbaf

Peter Eisentraut a poussé :

Bruce Momjian a poussé :

Correctifs rejetés (à ce jour)

  • No one was disappointed this week

Correctifs en attente

  • Amit Kapila sent in another revision of a patch to allow postgresql.conf values to be changed via SQL.
  • Joe Conway sent a patch for git master and back-patches for 9.1 and 9.2 to correct situations where pg_dump selectively ignores extension configuration tables.
  • Jeff Davis sent in a patch to fix an issue where the page checksum patch broke the regression tests.
  • Steve Singer sent in another revision of a patch to fix an issue where an invalid PGSERVICE setting broke pg_upgrade.
  • Brendan Jurd sent in another revision of a patch to remove "zero-dimensional arrays" from the code.
  • Michael Paquier sent in two more revisions of a patch to add REINDEX CONCURRENTLY.
  • Pavel Stehule sent in another revision of a patch to implement plpgsql_check_function.
  • Heikki Linnakangas sent a patch to document the fact that pg_basebackup needs to be told specifically about anything located outside $PGDATA.
  • Amit Kapila sent in another revision of a patch to improve update performance by reducing the amount of WAL written for same.
  • Dickson S. Guedes sent in a patch to fix some examples in the JSON docs.