Les mises à jour de sécurité : 9.2.4, 9.1.9, 9.0.13 et 8.4.17 sont disponibles. Mettez à jour immédiatement, si pas plus tôt ! http://www.postgresql.org/about/news/1456/
FAQ à propos de ces MAJ : http://www.postgresql.org/support/security/faq/2013-04-04/
[ndt: page traduite : http://www.postgresql.fr/faq_correctif_20130404]

La PGConf.EU 2013 sera tenue du 29 octobre au 1^er novembre au Conrad Hotel dans le centre-ville de Dublin en Irlande : http://2013.pgconf.eu/

Les nouveautés des produits dérivés

• psycopg2 2.5, un connecteur Python pour PostgreSQL : http://initd.org/psycopg/articles/2013/04/07/psycopg-25-released/

Offres d'emplois autour de PostgreSQL en avril

• Internationales : http://archives.postgresql.org/pgsql-jobs/2013-04/threads.php;
• Francophones : http://forums.postgresql.fr/viewforum.php?id=4.

PostgreSQL Local

• PGCon 2013 aura lieu les 23 & 24 mai 2013 à l'Université d'Ottawa : http://www.pgcon.org/2013/
• La 6ème conférence annuelle "Prague PostgreSQL Developers Day", organisée par le CSPUG (Groupe des utilisateurs tchèques et slovaques de PostgreSQL), aura lieu le 30 mai 2013 à la Faculté des Sciences Mathématiques & Physiques de l'Université Charles (Malostranske namesti 25, Prague). Les candidatures des conférenciers sont attendues jusqu'au 14 avril à l'adresse <info AT p2d2 POINT cz>. D'avantage d'informations sur le site : http://www.p2d2.cz/
• Le PgDay Fr est l'événement majeur de la communauté francophone. Il aura lieu le 13 juin 2013 à Nantes (France) : http://pgday.fr/
• Les appels à conférenciers pour le Char(13) et le PGday UK, respectivement les 11 et 12 juillet 2013, sont lancés et seront clos le 19 avril 2013. Pour le Char(13), écrivez à speakers AT char13 DOT info ; pour le PGday UK, speakers AT postgresqlusergroup DOT org DOT uk.
• PostgreSQL Brazil aura lieu du 15 au 17 août 2013 à Porto Velho, État du Rondônia au Brésil : http://pgbr.postgresql.org.br/2013/chamada.en.php
• Notez la date ! Postgres Open 2013 aura lieu à Chicago (Illinois, USA) du 16 au 18 septembre. Hotel Sax : https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=888761&hotelID=6865 Inscriptions pour les lève-tôt : http://postgresopen-eac2.eventbrite.com/

PostgreSQL dans les média

• Planet PostgreSQL : http://planet.postgresql.org/
• Planet PostgreSQLFr : http://planete.postgresql.fr/

PostgreSQL Weekly News / les nouvelles hebdomadaires vous sont offertes cette semaine par David Fetter. Traduction par l'équipe PostgreSQLFr sous licence CC BY-NC-SA.

Proposez vos articles ou annonces avant dimanche 15:00 (heure du Pacifique). Merci de les envoyer en anglais à david (a) fetter.org, en allemand à pwn (a) pgug.de, en italien à pwn (a) itpug.org et en espagnol à pwn (a) arpug.com.ar.

(lien vers l'article original)

Correctifs appliqués

Peter Eisentraut a poussé :

• Revert "ecpg: Don't link compatlib with libpq". This reverts commit 3780fc679cc428c1f211e1728c4281ca15e9746b. HP-UX didn't like it. There would probably be a way to fix that, but since the net effect of all of this is zero because ecpg ends up using libpq anyway, it's not worth bothering further. http://git.postgresql.org/pg/commitdiff/85079078acb4f120335f54f38f93635dd8c8b83d
• doc: Fix number of columns in table http://git.postgresql.org/pg/commitdiff/e3f719c3671c293bf9e1a7293c7bd5eb6d9a2611

Tom Lane a poussé :

• Make REPLICATION privilege checks test current user not authenticated user. The pg_start_backup() and pg_stop_backup() functions checked the privileges of the initially-authenticated user rather than the current user, which is wrong. For example, a user-defined index function could successfully call these functions when executed by ANALYZE within autovacuum. This could allow an attacker with valid but low-privilege database access to interfere with creation of routine backups. Reported and fixed by Noah Misch. Security: CVE-2013-1901 http://git.postgresql.org/pg/commitdiff/ce9ab88981495d975aade8fc664f99f68fc18e2b
• Avoid updating our PgBackendStatus entry when track_activities is off. The point of turning off track_activities is to avoid this reporting overhead, but a thinko in commit 4f42b546fd87a80be30c53a0f2c897acb826ad52 caused pgstat_report_activity() to perform half of its updates anyway. Fix that, and also make sure that we clear all the now-disabled fields when transitioning to the non-reporting state. http://git.postgresql.org/pg/commitdiff/f7b0006f42913b6d641c9f0bef6fad1f670b9194
• Fix typo in FDW docs. Laurenz Albe http://git.postgresql.org/pg/commitdiff/0f1345d38b4d7b35175d4f4be322da0aa6d6aaeb
• Minor robustness improvements for isolationtester. Notice and complain about PQcancel() failures. Also, don't dump core if an error PGresult doesn't contain severity and message subfields, as it might not if it was generated by libpq itself. (We have a longstanding TODO item to improve that, but in the meantime isolationtester had better cope.) I tripped across the latter item while investigating a trouble report on buildfarm member spoonbill. As for the former, there's no evidence that PQcancel failure is actually involved in spoonbill's problem, but it still seems like a bad idea to ignore an error return code. http://git.postgresql.org/pg/commitdiff/845d335a90b684dd51e80a6470ebb923a59a1f91
• Update release notes for 9.2.4, 9.1.9, 9.0.13, 8.4.17. Security: CVE-2013-1899, CVE-2013-1901 http://git.postgresql.org/pg/commitdiff/89b661bab99e8573fad271f68755ba286932dec2
• Fix insecure parsing of server command-line switches. An oversight in commit e710b65c1c56ca7b91f662c63d37ff2e72862a94 allowed database names beginning with "-" to be treated as though they were secure command-line switches; and this switch processing occurs before client authentication, so that even an unprivileged remote attacker could exploit the bug, needing only connectivity to the postmaster's port. Assorted exploits for this are possible, some requiring a valid database login, some not. The worst known problem is that the "-r" switch can be invoked to redirect the process's stderr output, so that subsequent error messages will be appended to any file the server can write. This can for example be used to corrupt the server's configuration files, so that it will fail when next restarted. Complete destruction of database tables is also possible. Fix by keeping the database name extracted from a startup packet fully separate from command-line switches, as had already been done with the user name field. The Postgres project thanks Mitsumasa Kondo for discovering this bug, Kyotaro Horiguchi for drafting the fix, and Noah Misch for recognizing the full extent of the danger. Security: CVE-2013-1899 http://git.postgresql.org/pg/commitdiff/17fe2793ea7fe269ed616cb305150b6cf38dbaa8
• Improve documentation about the relationship of extensions and schemas. There's been some confusion expressed about this point, so clarify. Extended version of a patch by David Wheeler. http://git.postgresql.org/pg/commitdiff/52f436b807b0d02203ea6be19bafa56e4e1381e8
• Fix line count in slashUsage(). Counting newlines shows that quite a few recent patches have neglected to update the output-lines count given to PageOutput(). Fortunately it's not terribly critical that this be exact, since we long since exceeded the height of most people's terminal windows. Still, maybe we ought to think of a way to not have to maintain this manually anymore. http://git.postgresql.org/pg/commitdiff/927e1dc96ce3eb4a618fd7b67f69eec72b56d850
• Add \watch [SEC] command to psql. This allows convenient re-execution of commands. Will Leinweber, reviewed by Peter Eisentraut, Daniel Farina, and Tom Lane http://git.postgresql.org/pg/commitdiff/c6a3fce7dd4dae6e1a005e5b09cdd7c1d7f9c4f4
• In isolationtester, retry after EINTR return from select(2). Per report from Jaime Casanova. Very curious that no one else has seen this failure ... but the code is clearly wrong as-is. http://git.postgresql.org/pg/commitdiff/faf4726c9fd5748ad25dbce55a7d31deeabe9866
• Get rid of USE_WIDE_UPPER_LOWER dependency in trigram construction. contrib/pg_trgm's make_trigrams() was coded to ignore multibyte character boundaries and just make trigrams from bytes if USE_WIDE_UPPER_LOWER wasn't defined. This is a bit odd, since there's no obvious reason why trigram compaction rules should depend on the presence of towlower() and friends. What's more, there was an Assert() that would fail if that code path was fed any multibyte characters. We need to do something about this since the pending regex-indexing patch has an assumption that you get just one "trgm" from any three characters. The best solution seems to be to remove the USE_WIDE_UPPER_LOWER dependency, which shouldn't really have been there in the first place. The second loop in make_trigrams() is now just a fast path and not a potentially incompatible algorithm. If there is anybody still using Postgres on machines without wcstombs() or towlower(), and they have non-ASCII data indexed by pg_trgm, they'll need to REINDEX those indexes after pg_upgrade to 9.3, else searches may fail incorrectly. It seems likely that there are no such installations, though. In passing, rename cnt_trigram to compact_trigram, which seems to better describe its functionality, and improve make_trigrams' test for whether it has to use the slow path or not (per a suggestion from Alexander Korotkov). http://git.postgresql.org/pg/commitdiff/7844608e54a3a2e3dee461b00fd6ef028a845d7c

Heikki Linnakangas a poussé :

• Calculate # of semaphores correctly with --disable-spinlocks. The old formula didn't take into account that each WAL sender process needs a spinlock. We had also already exceeded the fixed number of spinlocks reserved for misc purposes (10). Bump that to 30. Backpatch to 9.0, where WAL senders were introduced. If I counted correctly, 9.0 had exactly 10 predefined spinlocks, and 9.1 exceeded that, but bump the limit in 9.0 too because 10 is uncomfortably close to the edge. http://git.postgresql.org/pg/commitdiff/b8ed4cc9627de437e5eafdb81631a0d0f063abb3
• Fix crash on compiling a regular expression with more than 32k colors. Throw an error instead. Backpatch to all supported branches. http://git.postgresql.org/pg/commitdiff/bf2b0a147857f63daa2e5c17eed0169861371af8

Andrew Dunstan a poussé :

• Fix a few thinkos in the JSON functions docs. Dickson S. Guedes http://git.postgresql.org/pg/commitdiff/d7d5832012ae5174707643af1a450d26d3350719
• Fix off by one error in JSON extract path code. Bug report by David Wheeler, diagnosis assistance from Tom Lane. http://git.postgresql.org/pg/commitdiff/e75feb28341ea49e9d41266906e701a4e3742e2e

Bruce Momjian a poussé :

• psql: fix startup crash caused by PSQLRC containing a tilde. 'strdup' the PSQLRC environment variable value before calling a routine that might free() it. Backpatch to 9.2, where the bug first appeared. http://git.postgresql.org/pg/commitdiff/48a2cd370e2610f0a196240aed9f5abd82d3dada

Robert Haas a poussé :

• sepgsql: Enforce db_schema:search permission. KaiGai Kohei, with comment and doc wordsmithing by me http://git.postgresql.org/pg/commitdiff/e965e6344cfaff0708a032721b56f61eea777bc5

Simon Riggs a poussé :

• Fix checksums for CLUSTER, VACUUM FULL etc. In CLUSTER, VACUUM FULL and ALTER TABLE SET TABLESPACE I erroneously set checksum before log_newpage, which sets the LSN and invalidates the checksum. So set checksum immediately *after* log_newpage. Bug report Fujii Masao, Fix and patch by Jeff Davis http://git.postgresql.org/pg/commitdiff/cf8dc9e10c0d954970cbe5ca9be4c6b881cde482
• Tune BufferGetLSNAtomic() when checksums !enabled. From performance analysis by Heikki Linnakangas http://git.postgresql.org/pg/commitdiff/1be203519ac4da238bf6dfe8f7015d5780723e0f

Correctifs rejetés (à ce jour)

• No one was disappointed this week

Correctifs en attente

• Jeff Janes sent in another revision of a patch to add a --startup option to pgbench.
• Tom Lane sent in a patch to fix some mis-estimation of the costs of hash joins.
• Alexander Korotkov and Tom Lane, with contributions of performance numbers from Erik Rijkers, sent in more revisions of the patch to allow indexing DFA regexes.
• Jeff Janes sent in another revision of a patch to change the units of spinlock_delay to microseconds.
• Dimitri Fontaine sent in two more revisions of a patch to add extension templates.
• Andres Freund sent in a patch to add option for dumping full page writes to pg_dump.
• Michael Paquier sent in a patch to fix a typo in the documentation for JSON functions.
• Heikki Linnakangas sent in a patch to ensure that enough WAL segments are kept in situations where they might not have been.
• Heikki Linnakangas sent in a patch to prevent backend crashes with certain unusual regexes.
• Simon Riggs, Andres Freund and Jeff Davis traded patches to fix some corner cases in the page checksum code.
• Grzegorz Jaskiewicz and Robert Haas traded patches to remove some formatting dead code.
• Kevin Grittner sent in a patch to fix some scannability issues in materialized views.
• Jeff Janes sent in a patch to help ensure that the right WALs get saved.
• Jeff Janes sent in a patch to ensure that the process title of the autovacuum worker reflects what it's doing at the time.
• Tomas Vondra sent in a patch to implement pg_stat_agg_database.