Wednesday 16 December 2009

Kerberos support in PostgreSQL on Windows

We recently received a report of some automated security scanning software red-flagging the Kerberos DLLs that ship with the PostgreSQL installers for Windows. This blog post is an analysis of the impact of know vulnerabilities in Kerberos, and how they relate to PostgreSQL, and what we're doing about them.

PostgreSQL 8.3.x and 8.4.x

PostgreSQL 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.

The vulnerabilities that were reported by the security scanning tool were:

CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with PostgreSQL, these bugs do not apply.

CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind, the Kerberos Administration Server. We don't ship this either, so like the previous bugs, these do not apply to PostgreSQL.

What the scanning tool didn't report, was a fifth vulnerability which does potentially affect PostgreSQL users:

CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code.

As mentioned above, we currently ship the latest version of Kerberos with PostgreSQL. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue), we will update the PostgreSQL build servers.

PostgreSQL 8.2.x

PostgreSQL 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.

This version of Kerberos is believed to be vulnerable to the issue noted above (CVE-2009-0846), as well as CVE-2005-1689, which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!

Updating Kerberos for Windows to version 3.2.2 in the PostgreSQL 8.2 distribution is the only way we can work around this issue, however, this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the PostgreSQL installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.

Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users, we have decided not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but instead to recommend users of PostgreSQL 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to PostgreSQL 8.3 or 8.4 as soon as possible.

Monday 7 December 2009

New PostgreSQL Committers

Just a few minutes ago I posted the announcement below, telling the world that we've added some new committers to the PostgreSQL project. The project is extremely conservative when it comes to the source code as we're completely paranoid about breaking anything, however some have argued that we're perhaps too careful in this regard, and that our conservatism may actually be a bottleneck to the project.

Whilst the actual act of committing a change certainly isn't a bottleneck (after all, how long does it take to type 'cvs commit -m "Cool new feature from Joe"'?), the real bottleneck is in the review process, part of which involves one of our committers taking ownership of each patch, and guiding it through the final stages of the process. As patches become more and more complex, that can take more and more time - for (an extreme) example, Heikki has been reviewing Simon's Hot Standby patch for over a year now, as they refine the design and get it to a state where its ready to be committed to the main source tree. Of course, once a patch is committed, that's not necessarily the end. The committers will also take care of any post-commit cleanup, or other problems that may become apparent with any change, such as portability issues which may be highlighted by the buildfarm.

By increasing the pool of committers, we hope to ease that problem, and speed up the final stages involved in getting changes into PostgreSQL - and as all the new committers are experts with the PostgreSQL source code and work consistently to very high standards we're absolutely certain that the project's high standards will be maintained.

On behalf of the core team, I'm pleased to announce that the PostgreSQL Project has expanded it's team of "committers", those people who are able to make direct changes to the PostgreSQL source code respository. As the project is extremely conservative about any changes made to the source code to minimise the risk of introducing any bugs, commit access is only given to contributors who have consistently shown they work to a very high standard and have shown commitment to the project.

The new committers are:

Robert Haas: Robert developed the website which is used to manage the process by which features are added to PostgreSQL. He has twice acted as commitfest manager, and submitted numerous patches such as join removal, auto-generation of headers & bki files and the TRUNCATE privilege.

Simon Riggs: Simon is well know for working on large enterprise features for PostgreSQL, including Point In Time Recovery and partitioning. Simon is currently working on allowing PITR slave servers to be used for read-only queries.

Greg Stark: Greg has worked on low-level features in PostgreSQL, including asynchronous pre-fetching of data and packed variable length data types. Greg was also responsible for the CREATE INDEX CONCURRENTLY feature.

ITAGAKI Takahiro: ITAGAKI-san has worked on countless patches for PostgreSQL, both fixing bugs and writing new features, recently including WHEN clauses for triggers, a buffer usage feature for EXPLAIN and a new implementation of VACUUM FULL.


Friday 4 December 2009

PostgreSQL Release Support Policy

We finally came up with a support lifecycle policy for PostgreSQL. The 'official' version can be found on the wiki.

It's pretty straightforward though, and reads as follows:

The PostgreSQL project aims to fully support a major release for five years.

After a release falls out of full support, we may (at our committer's discretion) continue to apply further critical fixes to the source code, on a best-effort basis. No formal releases or binary packages will be produced by the project, but the updated source code will be available from our source code control system.

This policy will be followed on a best-effort basis. In extreme cases it may not be possible to support a release for the planned lifetime; for example if a serious bug is found that cannot be resolved in a given major version without significant risk to the stability of the code or loss of application compatibility. In such cases, early retirement of a major version may be required.

End Of Life (EOL) dates
VersionEOL Date
PostgreSQL 7.4July 2010 (extended)
PostgreSQL 8.0July 2010 (extended)
PostgreSQL 8.1November 2010
PostgreSQL 8.2December 2011
PostgreSQL 8.3February 2013
PostgreSQL 8.4July 2014

pgAdmin 1.10.1 released

pgAdmin 1.10.1 has now been released. A source tarball, and builds for Windows and Mac OS X are now available in the downloads area of the website - expect additional distributions to become available over the next few days.

pgAdmin is the leading Open Source GUI interface to PostgreSQL, and can be used on Windows, Mac OS X, Linux, Solaris and FreeBSD.

This is a bug fix release, including the following changes:
  • Replace Alt-F4 with Ctrl-Q and Ctrl-W.
  • Prevent a crash if the edit grid is closed whilst it is loading data.
  • Don't attempt to remove rows in the edit grid if the user presses the delete key when the delete button is disabled.
  • Only offer valid server encodings for new databases.
  • Fix font dialogue on Snow Leopard.
  • Fix an issue with the ordering of the mappings in a text search configuration.
  • Fix a potential crash bug in the object browser.
  • Reverse engineer empty (not NULL) ACLs correctly.
  • Fix Greenplum support for column oriented partitions.
  • Ensure function variables get reset if the function is modified.
  • Fix cluster creation for Slony 2.0.
  • Reverse engineer function defaults values correctly.
  • Fix a potential crash in the edit grid.
  • Fix domain creation/modification for domains in non-default schemas.
  • Reverse engineer language privileges correctly.
  • Get rid of "No SQL query was generated." message dialog when no tables are selected in the GQB.
  • Hints files should be encoded in UTF-8.
  • Include comments on procedures in the reverse engineered SQL.
  • Fix debugger name resolution on 64 bit Solaris.
  • Fix Slony cluster creation on Solaris.
  • Fix foreign key creation on Solaris.
  • Fix an SQL syntax error when viewing the dependencies of a sequence.
  • Fix saving of macros.
  • Better fix for schedule and step dialogs.
  • Fix the menu entry in frmQuery.
  • Fix the dlgFunction handling of preload libraries.
  • Fix schedule and step dialogs.
  • Fix error thrown when examining a Slony 2.x cluster.
Happy upgrading!

Thursday 3 December 2009

PostgreSQL@FOSDEM 2010 - Call for talks

FOSDEM is a major Free and Open Source event held annually in Brussels, Belgium, and attended by around 4000 people. As in recent years, the PostgreSQL project will have a devroom where we will be presenting a number of talks. The event will be held on the 6 - 7th February 2010.

We're looking for developers, users and contributors to submit talks for inclusion on the program. Any topic related to PostgreSQL is acceptable as long as it is non-commercial in nature. Suggested topics might include:

  • Migration of systems to PostgreSQL
  • Application development
  • Benchmarking and tuning
  • Spatial applications
  • Hacking the code
  • Data warehousing
  • New features
  • Tips and tricks
  • Replication
  • Case studies

We will have a number of 45 minutes slots, and may split one or more into 3 back-to-back 15 minute slots if we receive suitable proposals.

Please submit your proposals to:

and include the following information:

  • Your name
  • The title of your talk (please be descriptive, as titles will be listed with ~250 from other projects)
  • A short abstract of one to two paragraphs
  • A short biography introducing yourself
  • Links to related websites/blogs etc.

The deadline for submissions is 22nd December 2009.

See you in Brussels!