Update release notes for security releases.

Security: CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601

doc/src/sgml/release.sgml

-<!-- $PostgreSQL: pgsql/doc/src/sgml/release.sgml,v 1.574 2008/01/01 19:41:14 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release.sgml,v 1.575 2008/01/03 21:35:25 tgl Exp $ -->
 <!--
 
 Typical markup:
@@ -35,23 +35,22 @@ do it for earlier branch release files.
 <appendix id="release">
  <title>Release Notes</title>
 
- <sect1 id="release-introduction">
-  <title>Introduction</title>
-
   <para>
-   The release notes contain the significant changes in each PostgreSQL
-   release, with major features and migration issues often listed at the
-   top.  The release notes do not contain changes that affect only a few
-   users or changes that are internal and therefore not user-visible.  For
-   example, the optimizer is improved in almost every release, but the
-   improvements are usually observed by users as simply faster queries.
+   The release notes contain the significant changes in each
+   <productname>PostgreSQL</> release, with major features and migration
+   issues listed at the top.  The release notes do not contain changes
+   that affect only a few users or changes that are internal and therefore not
+   user-visible.  For example, the optimizer is improved in almost every
+   release, but the improvements are usually observed by users as simply
+   faster queries.
   </para>
 
   <para>
    A complete list of changes for each release can be obtained by
-   viewing the <link linkend="cvs">CVS</link> logs for each release.  The <ulink
-   url="http://archives.postgresql.org/pgsql-committers/">committers email
-   list</ulink> contains all source code changes as well.   There is also
+   viewing the <link linkend="cvs">CVS</link> logs for each release.
+   The <ulink
+   url="http://archives.postgresql.org/pgsql-committers/">pgsql-committers
+   email list</ulink> contains all source code changes as well.  There is also
    a <ulink url="http://developer.postgresql.org/cvsweb.cgi/pgsql/">web
    interface</ulink> that shows changes to specific files.
    <!-- we need a file containing the CVS logs for each release, and something
@@ -61,11 +60,9 @@ do it for earlier branch release files.
   <para>
    The name appearing next to each item represents the major developer for
    that item.  Of course all changes involve community discussion and patch
-   review so each item is truly a community effort.
+   review, so each item is truly a community effort.
   </para>
 
- </sect1>
-
  <sect1 id="release-8-3">
   <title>Release 8.3</title>
 
@@ -2070,7 +2067,7 @@ current_date &lt; 2017-11-17
 
      <listitem>
       <para>
-       Remove <literal>-u</> option (this option has long been depricated)
+       Remove <literal>-u</> option (this option has long been deprecated)
        (Tom)
       </para>
      </listitem>
@@ -2125,7 +2122,7 @@ current_date &lt; 2017-11-17
 
      <listitem>
       <para>
-       Remove <literal>-u</> option (this option has long been depricated)
+       Remove <literal>-u</> option (this option has long been deprecated)
        (Tom)
       </para>
      </listitem>
@@ -2542,7 +2539,7 @@ current_date &lt; 2017-11-17
      <listitem>
       <para>
        Add documentation about preventing database server spoofing when
-       the server is down (Bruce
+       the server is down (Bruce)
       </para>
      </listitem>
 
@@ -2672,6 +2669,295 @@ current_date &lt; 2017-11-17
   </sect2>
  </sect1>
 
+ <sect1 id="release-8-2-6">
+  <title>Release 8.2.6</title>
+
+  <note>
+  <title>Release date</title>
+  <simpara>2008-01-07</simpara>
+  </note>
+
+  <para>
+   This release contains a variety of fixes from 8.2.5,
+   including fixes for significant security issues.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 8.2.6</title>
+
+   <para>
+    A dump/restore is not required for those running 8.2.X.
+   </para>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Prevent functions in indexes from executing with the privileges of
+      the user running <command>VACUUM</>, <command>ANALYZE</>, etc (Tom)
+     </para>
+
+     <para>
+      Functions used in index expressions and partial-index
+      predicates are evaluated whenever a new table entry is made.  It has
+      long been understood that this poses a risk of trojan-horse code
+      execution if one modifies a table owned by an untrustworthy user.
+      (Note that triggers, defaults, check constraints, etc. pose the
+      same type of risk.)  But functions in indexes pose extra danger
+      because they will be executed by routine maintenance operations
+      such as <command>VACUUM FULL</>, which are commonly performed
+      automatically under a superuser account.  For example, a nefarious user
+      can execute code with superuser privileges by setting up a
+      trojan-horse index definition and waiting for the next routine vacuum.
+      The fix arranges for standard maintenance operations
+      (including <command>VACUUM</>, <command>ANALYZE</>, <command>REINDEX</>,
+      and <command>CLUSTER</>) to execute as the table owner rather than
+      the calling user, using the same privilege-switching mechanism already
+      used for <literal>SECURITY DEFINER</> functions.  To prevent bypassing
+      this security measure, execution of <command>SET SESSION
+      AUTHORIZATION</> and <command>SET ROLE</> is now forbidden within a
+      <literal>SECURITY DEFINER</> context.  (CVE-2007-6600)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Repair assorted bugs in the regular-expression package (Tom, Will Drewry)
+     </para>
+
+     <para>
+      Suitably crafted regular-expression patterns could cause crashes,
+      infinite or near-infinite looping, and/or massive memory consumption,
+      all of which pose denial-of-service hazards for applications that
+      accept regex search patterns from untrustworthy sources.
+      (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require non-superusers who use <filename>/contrib/dblink</> to use only
+      password authentication, as a security measure (Joe)
+     </para>
+
+     <para>
+      The fix that appeared for this in 8.2.5 was incomplete, as it plugged
+      the hole for only some <filename>dblink</> functions.  (CVE-2007-6601,
+      CVE-2007-3278)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix bugs in WAL replay for GIN indexes (Teodor)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix GIN index build to work properly when
+      <varname>maintenance_work_mem</> is 4GB or more (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Update time zone data files to <application>tzdata</> release 2007k
+      (in particular, recent Argentina changes) (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Improve planner's handling of LIKE/regex estimation in non-C locales
+      (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix planning-speed problem for deep outer-join nests, as well as
+      possible poor choice of join order (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix planner failure in some cases of <literal>WHERE false AND var IN
+      (SELECT ...)</> (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <command>CREATE TABLE ... SERIAL</> and
+      <command>ALTER SEQUENCE ... OWNED BY</> not change the
+      <function>currval()</> state of the sequence (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Preserve the tablespace and storage parameters of indexes that are
+      rebuilt by <command>ALTER TABLE ... ALTER COLUMN TYPE</> (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make archive recovery always start a new WAL timeline, rather than only
+      when a recovery stop time was used (Simon)
+     </para>
+
+     <para>
+      This avoids a corner-case risk of trying to overwrite an existing
+      archived copy of the last WAL segment, and seems simpler and cleaner
+      than the original definition.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <command>VACUUM</> not use all of <varname>maintenance_work_mem</>
+      when the table is too small for it to be useful (Alvaro)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix potential crash in <function>translate()</> when using a multibyte
+      database encoding (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <function>corr()</> return the correct result for negative
+      correlation values (Neil)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix overflow in <literal>extract(epoch from interval)</> for intervals
+      exceeding 68 years (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix PL/Perl to not fail when a UTF-8 regular expression is used
+      in a trusted function (Andrew)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix PL/Perl to cope when platform's Perl defines type <literal>bool</>
+      as <literal>int</> rather than <literal>char</> (Tom)
+     </para>
+
+     <para>
+      While this could theoretically happen anywhere, no standard build of
+      Perl did things this way ... until <productname>Mac OS X</> 10.5.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix PL/Python to work correctly with Python 2.5 on 64-bit machines
+      (Marko Kreen)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix PL/Python to not crash on long exception messages (Alvaro)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> to correctly handle inheritance child tables
+      that have default expressions different from their parent's (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>libpq</> crash when <varname>PGPASSFILE</> refers
+      to a file that is not a plain file (Martin Pitt)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      <application>ecpg</> parser fixes (Michael)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <filename>contrib/pgcrypto</> defend against
+      <application>OpenSSL</> libraries that fail on keys longer than 128
+      bits; which is the case at least on some Solaris versions (Marko Kreen)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <filename>contrib/tablefunc</>'s <function>crosstab()</> handle
+      NULL rowid as a category in its own right, rather than crashing (Joe)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <type>tsvector</> and <type>tsquery</> output routines to
+      escape backslashes correctly (Teodor, Bruce)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash of <function>to_tsvector()</> on huge input strings (Teodor)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require a specific version of <productname>Autoconf</> to be used
+      when re-generating the <command>configure</> script (Peter)
+     </para>
+
+     <para>
+      This affects developers and packagers only.  The change was made
+      to prevent accidental use of untested combinations of
+      <productname>Autoconf</> and <productname>PostgreSQL</> versions.
+      You can remove the version check if you really want to use a
+      different <productname>Autoconf</> version, but it's
+      your responsibility whether the result works or not.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Update <function>gettimeofday</> configuration check so that
+      <productname>PostgreSQL</> can be built on newer versions of
+      <productname>MinGW</> (Magnus)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
  <sect1 id="release-8-2-5">
   <title>Release 8.2.5</title>
 
@@ -5880,20 +6166,30 @@ current_date &lt; 2017-11-17
   </sect2>
  </sect1>
 
- <sect1 id="release-8-1-10">
-  <title>Release 8.1.10</title>
+ <sect1 id="release-8-1-11">
+  <title>Release 8.1.11</title>
 
   <note>
   <title>Release date</title>
-  <simpara>2007-09-17</simpara>
+  <simpara>2008-01-07</simpara>
   </note>
 
   <para>
-   This release contains a variety of fixes from 8.1.9.
+   This release contains a variety of fixes from 8.1.10,
+   including fixes for significant security issues.
+  </para>
+
+  <para>
+   This is the last 8.1.X release for which the <productname>PostgreSQL</>
+   community will produce binary packages for <productname>Windows</>.
+   Windows users are encouraged to move to 8.2.X or later,
+   since there are Windows-specific fixes in 8.2.X that
+   are impractical to back-port.  8.1.X will continue to
+   be supported on other platforms.
   </para>
 
   <sect2>
-   <title>Migration to Version 8.1.10</title>
+   <title>Migration to Version 8.1.11</title>
 
    <para>
     A dump/restore is not required for those running 8.1.X.
@@ -5910,106 +6206,346 @@ current_date &lt; 2017-11-17
 
     <listitem>
      <para>
-      Prevent index corruption when a transaction inserts rows and
-      then aborts close to the end of a concurrent <command>VACUUM</>
-      on the same table (Tom)
+      Prevent functions in indexes from executing with the privileges of
+      the user running <command>VACUUM</>, <command>ANALYZE</>, etc (Tom)
      </para>
-    </listitem>
 
-    <listitem>
      <para>
-      Make <command>CREATE DOMAIN ... DEFAULT NULL</> work properly (Tom)
+      Functions used in index expressions and partial-index
+      predicates are evaluated whenever a new table entry is made.  It has
+      long been understood that this poses a risk of trojan-horse code
+      execution if one modifies a table owned by an untrustworthy user.
+      (Note that triggers, defaults, check constraints, etc. pose the
+      same type of risk.)  But functions in indexes pose extra danger
+      because they will be executed by routine maintenance operations
+      such as <command>VACUUM FULL</>, which are commonly performed
+      automatically under a superuser account.  For example, a nefarious user
+      can execute code with superuser privileges by setting up a
+      trojan-horse index definition and waiting for the next routine vacuum.
+      The fix arranges for standard maintenance operations
+      (including <command>VACUUM</>, <command>ANALYZE</>, <command>REINDEX</>,
+      and <command>CLUSTER</>) to execute as the table owner rather than
+      the calling user, using the same privilege-switching mechanism already
+      used for <literal>SECURITY DEFINER</> functions.  To prevent bypassing
+      this security measure, execution of <command>SET SESSION
+      AUTHORIZATION</> and <command>SET ROLE</> is now forbidden within a
+      <literal>SECURITY DEFINER</> context.  (CVE-2007-6600)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Allow the <type>interval</> data type to accept input consisting only of
-      milliseconds or microseconds (Neil)
+      Repair assorted bugs in the regular-expression package (Tom, Will Drewry)
+     </para>
+
+     <para>
+      Suitably crafted regular-expression patterns could cause crashes,
+      infinite or near-infinite looping, and/or massive memory consumption,
+      all of which pose denial-of-service hazards for applications that
+      accept regex search patterns from untrustworthy sources.
+      (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Speed up rtree index insertion (Teodor)
+      Require non-superusers who use <filename>/contrib/dblink</> to use only
+      password authentication, as a security measure (Joe)
+     </para>
+
+     <para>
+      The fix that appeared for this in 8.1.10 was incomplete, as it plugged
+      the hole for only some <filename>dblink</> functions.  (CVE-2007-6601,
+      CVE-2007-3278)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Fix excessive logging of <acronym>SSL</> error messages (Tom)
+      Update time zone data files to <application>tzdata</> release 2007k
+      (in particular, recent Argentina changes) (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Fix logging so that log messages are never interleaved when using
-      the syslogger process (Andrew)
+      Improve planner's handling of LIKE/regex estimation in non-C locales
+      (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Fix crash when <varname>log_min_error_statement</> logging runs out
-      of memory (Tom)
+      Fix planner failure in some cases of <literal>WHERE false AND var IN
+      (SELECT ...)</> (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Fix incorrect handling of some foreign-key corner cases (Tom)
+      Preserve the tablespace of indexes that are
+      rebuilt by <command>ALTER TABLE ... ALTER COLUMN TYPE</> (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Prevent <command>REINDEX</> and <command>CLUSTER</> from failing
-      due to attempting to process temporary tables of other sessions (Alvaro)
+      Make archive recovery always start a new WAL timeline, rather than only
+      when a recovery stop time was used (Simon)
+     </para>
+
+     <para>
+      This avoids a corner-case risk of trying to overwrite an existing
+      archived copy of the last WAL segment, and seems simpler and cleaner
+      than the original definition.
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Update the time zone database rules, particularly New Zealand's upcoming changes (Tom)
+      Make <command>VACUUM</> not use all of <varname>maintenance_work_mem</>
+      when the table is too small for it to be useful (Alvaro)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Windows socket improvements (Magnus)
+      Fix potential crash in <function>translate()</> when using a multibyte
+      database encoding (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Suppress timezone name (<literal>%Z</>) in log timestamps on Windows
-      because of possible encoding mismatches (Tom)
+      Fix overflow in <literal>extract(epoch from interval)</> for intervals
+      exceeding 68 years (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-      Require non-superusers who use <filename>/contrib/dblink</> to use only
-      password authentication, as a security measure (Joe)
+      Fix PL/Perl to not fail when a UTF-8 regular expression is used
+      in a trusted function (Andrew)
      </para>
     </listitem>
 
-   </itemizedlist>
-
-  </sect2>
- </sect1>
-
- <sect1 id="release-8-1-9">
-  <title>Release 8.1.9</title>
-
-  <note>
-  <title>Release date</title>
-  <simpara>2007-04-23</simpara>
-  </note>
+    <listitem>
+     <para>
+      Fix PL/Perl to cope when platform's Perl defines type <literal>bool</>
+      as <literal>int</> rather than <literal>char</> (Tom)
+     </para>
 
      <para>
-   This release contains a variety of fixes from 8.1.8,
-   including a security fix.
+      While this could theoretically happen anywhere, no standard build of
+      Perl did things this way ... until <productname>Mac OS X</> 10.5.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix PL/Python to not crash on long exception messages (Alvaro)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>pg_dump</> to correctly handle inheritance child tables
+      that have default expressions different from their parent's (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <application>libpq</> crash when <varname>PGPASSFILE</> refers
+      to a file that is not a plain file (Martin Pitt)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      <application>ecpg</> parser fixes (Michael)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <filename>contrib/pgcrypto</> defend against
+      <application>OpenSSL</> libraries that fail on keys longer than 128
+      bits; which is the case at least on some Solaris versions (Marko Kreen)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <filename>contrib/tablefunc</>'s <function>crosstab()</> handle
+      NULL rowid as a category in its own right, rather than crashing (Joe)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <type>tsvector</> and <type>tsquery</> output routines to
+      escape backslashes correctly (Teodor, Bruce)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash of <function>to_tsvector()</> on huge input strings (Teodor)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require a specific version of <productname>Autoconf</> to be used
+      when re-generating the <command>configure</> script (Peter)
+     </para>
+
+     <para>
+      This affects developers and packagers only.  The change was made
+      to prevent accidental use of untested combinations of
+      <productname>Autoconf</> and <productname>PostgreSQL</> versions.
+      You can remove the version check if you really want to use a
+      different <productname>Autoconf</> version, but it's
+      your responsibility whether the result works or not.
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-8-1-10">
+  <title>Release 8.1.10</title>
+
+  <note>
+  <title>Release date</title>
+  <simpara>2007-09-17</simpara>
+  </note>
+
+  <para>
+   This release contains a variety of fixes from 8.1.9.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 8.1.10</title>
+
+   <para>
+    A dump/restore is not required for those running 8.1.X.
+    However, if you are upgrading from a version earlier than 8.1.2,
+    see the release notes for 8.1.2.
+   </para>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Prevent index corruption when a transaction inserts rows and
+      then aborts close to the end of a concurrent <command>VACUUM</>
+      on the same table (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <command>CREATE DOMAIN ... DEFAULT NULL</> work properly (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Allow the <type>interval</> data type to accept input consisting only of
+      milliseconds or microseconds (Neil)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Speed up rtree index insertion (Teodor)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix excessive logging of <acronym>SSL</> error messages (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix logging so that log messages are never interleaved when using
+      the syslogger process (Andrew)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash when <varname>log_min_error_statement</> logging runs out
+      of memory (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix incorrect handling of some foreign-key corner cases (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent <command>REINDEX</> and <command>CLUSTER</> from failing
+      due to attempting to process temporary tables of other sessions (Alvaro)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Update the time zone database rules, particularly New Zealand's upcoming changes (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Windows socket improvements (Magnus)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Suppress timezone name (<literal>%Z</>) in log timestamps on Windows
+      because of possible encoding mismatches (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require non-superusers who use <filename>/contrib/dblink</> to use only
+      password authentication, as a security measure (Joe)
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-8-1-9">
+  <title>Release 8.1.9</title>
+
+  <note>
+  <title>Release date</title>
+  <simpara>2007-04-23</simpara>
+  </note>
+
+  <para>
+   This release contains a variety of fixes from 8.1.8,
+   including a security fix.
   </para>
 
   <sect2>
@@ -8870,168 +9406,382 @@ psql -t -f fixseq.sql db1 | psql -e db1
       </para>
      </listitem>
 
-     <listitem>
+     <listitem>
+      <para>
+       Allow <application>libpq</application> to be built thread-safe
+       on Windows (Dave Page)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Allow IPv6 connections to be used on Windows (Andrew)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Add Server Administration documentation about I/O subsystem
+       reliability (Bruce)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Move private declarations from <filename>gist.h</filename> to
+       <filename>gist_private.h</filename> (Neil)
+      </para>
+
+      <para>
+       In previous releases, <filename>gist.h</> contained both the
+       public GiST API (intended for use by authors of GiST index
+       implementations) as well as some private declarations used by
+       the implementation of GiST itself. The latter have been moved
+       to a separate file, <filename>gist_private.h</>. Most GiST
+       index implementations should be unaffected.
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Overhaul GiST memory management (Neil)
+      </para>
+
+      <para>
+       GiST methods are now always invoked in a short-lived memory
+       context. Therefore, memory allocated via <function>palloc()</>
+       will be reclaimed automatically, so GiST index implementations
+       do not need to manually release allocated memory via
+       <function>pfree()</>.
+      </para>
+     </listitem>
+    </itemizedlist>
+   </sect3>
+
+
+   <sect3>
+    <title>Contrib Changes</title>
+    <itemizedlist>
+
+     <listitem>
+      <para>
+       Add <filename>/contrib/pg_buffercache</> contrib module (Mark
+       Kirkwood)
+      </para>
+      <para>
+       This displays the contents of the buffer cache, for debugging and
+       performance tuning purposes.
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Remove <filename>/contrib/array</> because it is obsolete (Tom)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Clean up the <filename>/contrib/lo</> module (Tom)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Move <filename>/contrib/findoidjoins</> to
+       <filename>/src/tools</> (Tom)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Remove the <literal>&lt;&lt;</>, <literal>&gt;&gt;</>,
+       <literal>&amp;&lt;</>, and <literal>&amp;&gt;</> operators from
+       <filename>/contrib/cube</>
+      </para>
+      <para>
+       These operators were not useful.
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Improve <filename>/contrib/btree_gist</> (Janko Richter)
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Improve <filename>/contrib/pgbench</> (Tomoaki Sato, Tatsuo)
+      </para>
+      <para>
+       There is now a facility for testing with SQL command scripts given
+       by the user, instead of only a hard-wired command sequence.
+      </para>
+     </listitem>
+
+     <listitem>
+      <para>
+       Improve <filename>/contrib/pgcrypto</> (Marko Kreen)
+      </para>
+
+      <itemizedlist>
+
+       <listitem>
+        <para>
+         Implementation of OpenPGP symmetric-key and public-key encryption
+        </para>
+        <para>
+         Both RSA and Elgamal public-key algorithms are supported.
+        </para>
+       </listitem>
+
+       <listitem>
+        <para>
+         Stand alone build: include SHA256/384/512 hashes, Fortuna PRNG
+        </para>
+       </listitem>
+
+       <listitem>
+        <para>
+         OpenSSL build: support 3DES, use internal AES with OpenSSL &lt; 0.9.7
+        </para>
+       </listitem>
+
+       <listitem>
+        <para>
+         Take build parameters (OpenSSL, zlib) from <filename>configure</> result
+        </para>
+        <para>
+         There is no need to edit the <filename>Makefile</> anymore.
+        </para>
+       </listitem>
+
+       <listitem>
+        <para>
+         Remove support for <filename>libmhash</> and <filename>libmcrypt</>
+        </para>
+       </listitem>
+
+      </itemizedlist>
+     </listitem>
+
+    </itemizedlist>
+   </sect3>
+
+  </sect2>
+ </sect1>
+
+ <sect1 id="release-8-0-15">
+  <title>Release 8.0.15</title>
+
+  <note>
+  <title>Release date</title>
+  <simpara>2008-01-07</simpara>
+  </note>
+
   <para>
-       Allow <application>libpq</application> to be built thread-safe
-       on Windows (Dave Page)
+   This release contains a variety of fixes from 8.0.14,
+   including fixes for significant security issues.
   </para>
-     </listitem>
 
-     <listitem>
   <para>
-       Allow IPv6 connections to be used on Windows (Andrew)
+   This is the last 8.0.X release for which the <productname>PostgreSQL</>
+   community will produce binary packages for <productname>Windows</>.
+   Windows users are encouraged to move to 8.2.X or later,
+   since there are Windows-specific fixes in 8.2.X that
+   are impractical to back-port.  8.0.X will continue to
+   be supported on other platforms.
   </para>
-     </listitem>
 
-     <listitem>
+  <sect2>
+   <title>Migration to Version 8.0.15</title>
+
    <para>
-       Add Server Administration documentation about I/O subsystem
-       reliability (Bruce)
+    A dump/restore is not required for those running 8.0.X.  However,
+    if you are upgrading from a version earlier than 8.0.6, see the release
+    notes for 8.0.6.
    </para>
-     </listitem>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
 
     <listitem>
      <para>
-       Move private declarations from <filename>gist.h</filename> to
-       <filename>gist_private.h</filename> (Neil)
+      Prevent functions in indexes from executing with the privileges of
+      the user running <command>VACUUM</>, <command>ANALYZE</>, etc (Tom)
      </para>
 
      <para>
-       In previous releases, <filename>gist.h</> contained both the
-       public GiST API (intended for use by authors of GiST index
-       implementations) as well as some private declarations used by
-       the implementation of GiST itself. The latter have been moved
-       to a separate file, <filename>gist_private.h</>. Most GiST
-       index implementations should be unaffected.
+      Functions used in index expressions and partial-index
+      predicates are evaluated whenever a new table entry is made.  It has
+      long been understood that this poses a risk of trojan-horse code
+      execution if one modifies a table owned by an untrustworthy user.
+      (Note that triggers, defaults, check constraints, etc. pose the
+      same type of risk.)  But functions in indexes pose extra danger
+      because they will be executed by routine maintenance operations
+      such as <command>VACUUM FULL</>, which are commonly performed
+      automatically under a superuser account.  For example, a nefarious user
+      can execute code with superuser privileges by setting up a
+      trojan-horse index definition and waiting for the next routine vacuum.
+      The fix arranges for standard maintenance operations
+      (including <command>VACUUM</>, <command>ANALYZE</>, <command>REINDEX</>,
+      and <command>CLUSTER</>) to execute as the table owner rather than
+      the calling user, using the same privilege-switching mechanism already
+      used for <literal>SECURITY DEFINER</> functions.  To prevent bypassing
+      this security measure, execution of <command>SET SESSION
+      AUTHORIZATION</> and <command>SET ROLE</> is now forbidden within a
+      <literal>SECURITY DEFINER</> context.  (CVE-2007-6600)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Overhaul GiST memory management (Neil)
+      Repair assorted bugs in the regular-expression package (Tom, Will Drewry)
      </para>
 
      <para>
-       GiST methods are now always invoked in a short-lived memory
-       context. Therefore, memory allocated via <function>palloc()</>
-       will be reclaimed automatically, so GiST index implementations
-       do not need to manually release allocated memory via
-       <function>pfree()</>.
+      Suitably crafted regular-expression patterns could cause crashes,
+      infinite or near-infinite looping, and/or massive memory consumption,
+      all of which pose denial-of-service hazards for applications that
+      accept regex search patterns from untrustworthy sources.
+      (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)
      </para>
     </listitem>
-    </itemizedlist>
-   </sect3>
-
-
-   <sect3>
-    <title>Contrib Changes</title>
-    <itemizedlist>
 
     <listitem>
      <para>
-       Add <filename>/contrib/pg_buffercache</> contrib module (Mark
-       Kirkwood)
+      Require non-superusers who use <filename>/contrib/dblink</> to use only
+      password authentication, as a security measure (Joe)
      </para>
+
      <para>
-       This displays the contents of the buffer cache, for debugging and
-       performance tuning purposes.
+      The fix that appeared for this in 8.0.14 was incomplete, as it plugged
+      the hole for only some <filename>dblink</> functions.  (CVE-2007-6601,
+      CVE-2007-3278)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Remove <filename>/contrib/array</> because it is obsolete (Tom)
+      Update time zone data files to <application>tzdata</> release 2007k
+      (in particular, recent Argentina changes) (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Clean up the <filename>/contrib/lo</> module (Tom)
+      Fix planner failure in some cases of <literal>WHERE false AND var IN
+      (SELECT ...)</> (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Move <filename>/contrib/findoidjoins</> to
-       <filename>/src/tools</> (Tom)
+      Preserve the tablespace of indexes that are
+      rebuilt by <command>ALTER TABLE ... ALTER COLUMN TYPE</> (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Remove the <literal>&lt;&lt;</>, <literal>&gt;&gt;</>,
-       <literal>&amp;&lt;</>, and <literal>&amp;&gt;</> operators from
-       <filename>/contrib/cube</>
+      Make archive recovery always start a new WAL timeline, rather than only
+      when a recovery stop time was used (Simon)
      </para>
+
      <para>
-       These operators were not useful.
+      This avoids a corner-case risk of trying to overwrite an existing
+      archived copy of the last WAL segment, and seems simpler and cleaner
+      than the original definition.
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Improve <filename>/contrib/btree_gist</> (Janko Richter)
+      Make <command>VACUUM</> not use all of <varname>maintenance_work_mem</>
+      when the table is too small for it to be useful (Alvaro)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Improve <filename>/contrib/pgbench</> (Tomoaki Sato, Tatsuo)
-      </para>
-      <para>
-       There is now a facility for testing with SQL command scripts given
-       by the user, instead of only a hard-wired command sequence.
+      Fix potential crash in <function>translate()</> when using a multibyte
+      database encoding (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-       Improve <filename>/contrib/pgcrypto</> (Marko Kreen)
+      Fix PL/Perl to cope when platform's Perl defines type <literal>bool</>
+      as <literal>int</> rather than <literal>char</> (Tom)
      </para>
 
-      <itemizedlist>
+     <para>
+      While this could theoretically happen anywhere, no standard build of
+      Perl did things this way ... until <productname>Mac OS X</> 10.5.
+     </para>
+    </listitem>
 
     <listitem>
      <para>
-         Implementation of OpenPGP symmetric-key and public-key encryption
+      Fix PL/Python to not crash on long exception messages (Alvaro)
      </para>
+    </listitem>
+
+    <listitem>
      <para>
-         Both RSA and Elgamal public-key algorithms are supported.
+      Fix <application>pg_dump</> to correctly handle inheritance child tables
+      that have default expressions different from their parent's (Tom)
      </para>
     </listitem>
 
     <listitem>
      <para>
-         Stand alone build: include SHA256/384/512 hashes, Fortuna PRNG
+      <application>ecpg</> parser fixes (Michael)
      </para>
     </listitem>
 
     <listitem>
      <para>
-         OpenSSL build: support 3DES, use internal AES with OpenSSL &lt; 0.9.7
+      Make <filename>contrib/tablefunc</>'s <function>crosstab()</> handle
+      NULL rowid as a category in its own right, rather than crashing (Joe)
      </para>
     </listitem>
 
     <listitem>
      <para>
-         Take build parameters (OpenSSL, zlib) from <filename>configure</> result
+      Fix <type>tsvector</> and <type>tsquery</> output routines to
+      escape backslashes correctly (Teodor, Bruce)
      </para>
+    </listitem>
+
+    <listitem>
      <para>
-         There is no need to edit the <filename>Makefile</> anymore.
+      Fix crash of <function>to_tsvector()</> on huge input strings (Teodor)
      </para>
     </listitem>
 
     <listitem>
      <para>
-         Remove support for <filename>libmhash</> and <filename>libmcrypt</>
+      Require a specific version of <productname>Autoconf</> to be used
+      when re-generating the <command>configure</> script (Peter)
      </para>
-       </listitem>
 
-      </itemizedlist>
+     <para>
+      This affects developers and packagers only.  The change was made
+      to prevent accidental use of untested combinations of
+      <productname>Autoconf</> and <productname>PostgreSQL</> versions.
+      You can remove the version check if you really want to use a
+      different <productname>Autoconf</> version, but it's
+      your responsibility whether the result works or not.
+     </para>
     </listitem>
 
    </itemizedlist>
-   </sect3>
 
   </sect2>
  </sect1>
@@ -12649,6 +13399,158 @@ typedefs (Michael)</para></listitem>
   </sect2>
  </sect1>
 
+ <sect1 id="release-7-4-19">
+  <title>Release 7.4.19</title>
+
+  <note>
+  <title>Release date</title>
+  <simpara>2008-01-07</simpara>
+  </note>
+
+  <para>
+   This release contains a variety of fixes from 7.4.18,
+   including fixes for significant security issues.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 7.4.19</title>
+
+   <para>
+    A dump/restore is not required for those running 7.4.X.  However,
+    if you are upgrading from a version earlier than 7.4.11, see the release
+    notes for 7.4.11.
+   </para>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Prevent functions in indexes from executing with the privileges of
+      the user running <command>VACUUM</>, <command>ANALYZE</>, etc (Tom)
+     </para>
+
+     <para>
+      Functions used in index expressions and partial-index
+      predicates are evaluated whenever a new table entry is made.  It has
+      long been understood that this poses a risk of trojan-horse code
+      execution if one modifies a table owned by an untrustworthy user.
+      (Note that triggers, defaults, check constraints, etc. pose the
+      same type of risk.)  But functions in indexes pose extra danger
+      because they will be executed by routine maintenance operations
+      such as <command>VACUUM FULL</>, which are commonly performed
+      automatically under a superuser account.  For example, a nefarious user
+      can execute code with superuser privileges by setting up a
+      trojan-horse index definition and waiting for the next routine vacuum.
+      The fix arranges for standard maintenance operations
+      (including <command>VACUUM</>, <command>ANALYZE</>, <command>REINDEX</>,
+      and <command>CLUSTER</>) to execute as the table owner rather than
+      the calling user, using the same privilege-switching mechanism already
+      used for <literal>SECURITY DEFINER</> functions.  To prevent bypassing
+      this security measure, execution of <command>SET SESSION
+      AUTHORIZATION</> and <command>SET ROLE</> is now forbidden within a
+      <literal>SECURITY DEFINER</> context.  (CVE-2007-6600)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Repair assorted bugs in the regular-expression package (Tom, Will Drewry)
+     </para>
+
+     <para>
+      Suitably crafted regular-expression patterns could cause crashes,
+      infinite or near-infinite looping, and/or massive memory consumption,
+      all of which pose denial-of-service hazards for applications that
+      accept regex search patterns from untrustworthy sources.
+      (CVE-2007-4769, CVE-2007-4772, CVE-2007-6067)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require non-superusers who use <filename>/contrib/dblink</> to use only
+      password authentication, as a security measure (Joe)
+     </para>
+
+     <para>
+      The fix that appeared for this in 7.4.18 was incomplete, as it plugged
+      the hole for only some <filename>dblink</> functions.  (CVE-2007-6601,
+      CVE-2007-3278)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix planner failure in some cases of <literal>WHERE false AND var IN
+      (SELECT ...)</> (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix potential crash in <function>translate()</> when using a multibyte
+      database encoding (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix PL/Python to not crash on long exception messages (Alvaro)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      <application>ecpg</> parser fixes (Michael)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <filename>contrib/tablefunc</>'s <function>crosstab()</> handle
+      NULL rowid as a category in its own right, rather than crashing (Joe)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix <type>tsvector</> and <type>tsquery</> output routines to
+      escape backslashes correctly (Teodor, Bruce)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix crash of <function>to_tsvector()</> on huge input strings (Teodor)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require a specific version of <productname>Autoconf</> to be used
+      when re-generating the <command>configure</> script (Peter)
+     </para>
+
+     <para>
+      This affects developers and packagers only.  The change was made
+      to prevent accidental use of untested combinations of
+      <productname>Autoconf</> and <productname>PostgreSQL</> versions.
+      You can remove the version check if you really want to use a
+      different <productname>Autoconf</> version, but it's
+      your responsibility whether the result works or not.
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
  <sect1 id="release-7-4-18">
   <title>Release 7.4.18</title>
 
@@ -15907,6 +16809,118 @@ DROP SCHEMA information_schema CASCADE;
  </sect2>
 </sect1>
 
+ <sect1 id="release-7-3-21">
+  <title>Release 7.3.21</title>
+
+  <note>
+  <title>Release date</title>
+  <simpara>2008-01-07</simpara>
+  </note>
+
+  <para>
+   This release contains a variety of fixes from 7.3.20,
+   including fixes for significant security issues.
+  </para>
+
+  <para>
+   This is expected to be the last <productname>PostgreSQL</> release
+   in the 7.3.X series.  Users are encouraged to update to a newer
+   release branch soon.
+  </para>
+
+  <sect2>
+   <title>Migration to Version 7.3.21</title>
+
+   <para>
+    A dump/restore is not required for those running 7.3.X.  However,
+    if you are upgrading from a version earlier than 7.3.13, see the release
+    notes for 7.3.13.
+   </para>
+
+  </sect2>
+
+  <sect2>
+   <title>Changes</title>
+
+   <itemizedlist>
+
+    <listitem>
+     <para>
+      Prevent functions in indexes from executing with the privileges of
+      the user running <command>VACUUM</>, <command>ANALYZE</>, etc (Tom)
+     </para>
+
+     <para>
+      Functions used in index expressions and partial-index
+      predicates are evaluated whenever a new table entry is made.  It has
+      long been understood that this poses a risk of trojan-horse code
+      execution if one modifies a table owned by an untrustworthy user.
+      (Note that triggers, defaults, check constraints, etc. pose the
+      same type of risk.)  But functions in indexes pose extra danger
+      because they will be executed by routine maintenance operations
+      such as <command>VACUUM FULL</>, which are commonly performed
+      automatically under a superuser account.  For example, a nefarious user
+      can execute code with superuser privileges by setting up a
+      trojan-horse index definition and waiting for the next routine vacuum.
+      The fix arranges for standard maintenance operations
+      (including <command>VACUUM</>, <command>ANALYZE</>, <command>REINDEX</>,
+      and <command>CLUSTER</>) to execute as the table owner rather than
+      the calling user, using the same privilege-switching mechanism already
+      used for <literal>SECURITY DEFINER</> functions.  To prevent bypassing
+      this security measure, execution of <command>SET SESSION
+      AUTHORIZATION</> and <command>SET ROLE</> is now forbidden within a
+      <literal>SECURITY DEFINER</> context.  (CVE-2007-6600)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require non-superusers who use <filename>/contrib/dblink</> to use only
+      password authentication, as a security measure (Joe)
+     </para>
+
+     <para>
+      The fix that appeared for this in 7.3.20 was incomplete, as it plugged
+      the hole for only some <filename>dblink</> functions.  (CVE-2007-6601,
+      CVE-2007-3278)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix potential crash in <function>translate()</> when using a multibyte
+      database encoding (Tom)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Make <filename>contrib/tablefunc</>'s <function>crosstab()</> handle
+      NULL rowid as a category in its own right, rather than crashing (Joe)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Require a specific version of <productname>Autoconf</> to be used
+      when re-generating the <command>configure</> script (Peter)
+     </para>
+
+     <para>
+      This affects developers and packagers only.  The change was made
+      to prevent accidental use of untested combinations of
+      <productname>Autoconf</> and <productname>PostgreSQL</> versions.
+      You can remove the version check if you really want to use a
+      different <productname>Autoconf</> version, but it's
+      your responsibility whether the result works or not.
+     </para>
+    </listitem>
+
+   </itemizedlist>
+
+  </sect2>
+ </sect1>
+
  <sect1 id="release-7-3-20">
   <title>Release 7.3.20</title>