svn commit: r315718 - in head: databases/postgresql83-client databases/postgresql83-contrib databases/postgresql83-server databases/postgresql83-server/files databases/postgresql84-server databases...
Palle Girgensohn
girgen at FreeBSD.org
Thu Apr 4 13:21:26 UTC 2013
Author: girgen
Date: Thu Apr 4 13:21:22 2013
New Revision: 315718
URL: http://svnweb.freebsd.org/changeset/ports/315718
Log:
The PostgreSQL Global Development Group has released a security
update to all current versions of the PostgreSQL database system,
including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
fixes a high-exposure security vulnerability in versions 9.0 and
later. All users of the affected versions are strongly urged to apply
the update *immediately*.
A major security issue (for versions 9.x only) fixed in this release,
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
makes it possible for a connection request containing a database name
that begins with "-" to be crafted that can damage or destroy files
within a server's data directory. Anyone with access to the port the
PostgreSQL server listens on can initiate this request. This issue was
discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
Software Center.
Two lesser security fixes are also included in this release:
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
wherein random numbers generated by contrib/pgcrypto functions may be
easy for another database user to guess (all versions), and
[CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
which mistakenly allows an unprivileged user to run commands that
could interfere with in-progress backups (for versions 9.x only).
Approved by: portmgr (bdrewery)
URL: http://www.postgresql.org/about/news/1456/
Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900
Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901
Added:
head/databases/postgresql83-server/files/patch-ssl-init-state (contents, props changed)
Modified:
head/databases/postgresql83-client/Makefile
head/databases/postgresql83-contrib/Makefile
head/databases/postgresql83-server/Makefile
head/databases/postgresql84-server/Makefile
head/databases/postgresql84-server/distinfo
head/databases/postgresql90-server/Makefile
head/databases/postgresql90-server/distinfo
head/databases/postgresql90-server/pkg-plist-server
head/databases/postgresql91-server/Makefile
head/databases/postgresql91-server/distinfo
head/databases/postgresql91-server/pkg-plist-server
head/databases/postgresql92-server/Makefile
head/databases/postgresql92-server/distinfo
head/databases/postgresql92-server/pkg-plist-server
head/security/vuxml/vuln.xml
Modified: head/databases/postgresql83-client/Makefile
==============================================================================
--- head/databases/postgresql83-client/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql83-client/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -8,8 +8,9 @@
# See Mk/bsd.databases.mk for more info
PORTNAME= postgresql
+PORTREVISION= 0
+PORTEPOCH= 1
PKGNAMESUFFIX= -client
-PORTEPOCH= 1
COMMENT= PostgreSQL database (client)
Modified: head/databases/postgresql83-contrib/Makefile
==============================================================================
--- head/databases/postgresql83-contrib/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql83-contrib/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -2,6 +2,7 @@
# $FreeBSD$
PORTNAME= postgresql
+PORTREVISION= 0
PKGNAMESUFFIX= -contrib
CATEGORIES= databases
Modified: head/databases/postgresql83-server/Makefile
==============================================================================
--- head/databases/postgresql83-server/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql83-server/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -6,7 +6,7 @@
#
DISTVERSION?= 8.3.23
-PORTREVISION?= 0
+PORTREVISION?= 1
PKGNAMESUFFIX?= -server
MAINTAINER?= pgsql at FreeBSD.org
Added: head/databases/postgresql83-server/files/patch-ssl-init-state
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/databases/postgresql83-server/files/patch-ssl-init-state Thu Apr 4 13:21:22 2013 (r315718)
@@ -0,0 +1,25 @@
+--- src/backend/postmaster/fork_process.c.orig 2013-02-04 22:29:07.000000000 +0100
++++ src/backend/postmaster/fork_process.c 2013-04-02 12:57:18.489126586 +0200
+@@ -15,6 +15,9 @@
+ #include <time.h>
+ #include <sys/time.h>
+ #include <unistd.h>
++#ifdef USE_SSL
++#include <openssl/rand.h>
++#endif
+
+ #ifndef WIN32
+ /*
+@@ -60,6 +63,12 @@
+ setitimer(ITIMER_PROF, &prof_itimer, NULL);
+ #endif
+
++ /*
++ * Make sure processes do not share OpenSSL randomness state.
++ */
++#ifdef USE_SSL
++ RAND_cleanup();
++#endif
+ }
+
+ return result;
Modified: head/databases/postgresql84-server/Makefile
==============================================================================
--- head/databases/postgresql84-server/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql84-server/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME?= postgresql
-DISTVERSION?= 8.4.16
+DISTVERSION?= 8.4.17
PORTREVISION?= 0
CATEGORIES?= databases
MASTER_SITES= PGSQL
Modified: head/databases/postgresql84-server/distinfo
==============================================================================
--- head/databases/postgresql84-server/distinfo Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql84-server/distinfo Thu Apr 4 13:21:22 2013 (r315718)
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-8.4.16.tar.bz2) = 8d03d94d3957019227066f427ccb11232a823f2558e2f57e1ea2bc9ba004612f
-SIZE (postgresql/postgresql-8.4.16.tar.bz2) = 14784029
+SHA256 (postgresql/postgresql-8.4.17.tar.bz2) = dc884c34ec3535d9f8b579155948a703def0574aca47292b97b82a8189cd0436
+SIZE (postgresql/postgresql-8.4.17.tar.bz2) = 14795028
SHA256 (postgresql/pg-840-icu-2009-09-15.diff.gz) = c09d3b59340a3bb6ea754e985739d4fbb47f730d1e48a357c5585825034fc72e
SIZE (postgresql/pg-840-icu-2009-09-15.diff.gz) = 4321
Modified: head/databases/postgresql90-server/Makefile
==============================================================================
--- head/databases/postgresql90-server/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql90-server/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -5,7 +5,7 @@
# $FreeBSD$
#
-DISTVERSION?= 9.0.12
+DISTVERSION?= 9.0.13
PORTREVISION= 0
PKGNAMESUFFIX?= -server
Modified: head/databases/postgresql90-server/distinfo
==============================================================================
--- head/databases/postgresql90-server/distinfo Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql90-server/distinfo Thu Apr 4 13:21:22 2013 (r315718)
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.0.12.tar.bz2) = 80f06873cbdc8789abe6806dc52a708d9a7f4ac5432ffea4c069cbc33b2b1524
-SIZE (postgresql/postgresql-9.0.12.tar.bz2) = 15122949
+SHA256 (postgresql/postgresql-9.0.13.tar.bz2) = 51aea4d099defaee307ec3b9900837446931d1aa0c6717070fa25ed033af9977
+SIZE (postgresql/postgresql-9.0.13.tar.bz2) = 15139873
SHA256 (postgresql/pg-900-icu-2010-09-19.diff.gz) = 27cea46241ec814965c278330cd96f67ee03422b7758a210713a63b4b5bb77e9
SIZE (postgresql/pg-900-icu-2010-09-19.diff.gz) = 4349
Modified: head/databases/postgresql90-server/pkg-plist-server
==============================================================================
--- head/databases/postgresql90-server/pkg-plist-server Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql90-server/pkg-plist-server Thu Apr 4 13:21:22 2013 (r315718)
@@ -410,6 +410,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Asia/Kashgar
%%TZDATA%%share/postgresql/timezone/Asia/Kathmandu
%%TZDATA%%share/postgresql/timezone/Asia/Katmandu
+%%TZDATA%%share/postgresql/timezone/Asia/Khandyga
%%TZDATA%%share/postgresql/timezone/Asia/Kolkata
%%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk
%%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur
@@ -454,6 +455,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar
%%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator
%%TZDATA%%share/postgresql/timezone/Asia/Urumqi
+%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera
%%TZDATA%%share/postgresql/timezone/Asia/Vientiane
%%TZDATA%%share/postgresql/timezone/Asia/Vladivostok
%%TZDATA%%share/postgresql/timezone/Asia/Yakutsk
@@ -562,6 +564,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Europe/Brussels
%%TZDATA%%share/postgresql/timezone/Europe/Bucharest
%%TZDATA%%share/postgresql/timezone/Europe/Budapest
+%%TZDATA%%share/postgresql/timezone/Europe/Busingen
%%TZDATA%%share/postgresql/timezone/Europe/Chisinau
%%TZDATA%%share/postgresql/timezone/Europe/Copenhagen
%%TZDATA%%share/postgresql/timezone/Europe/Dublin
Modified: head/databases/postgresql91-server/Makefile
==============================================================================
--- head/databases/postgresql91-server/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql91-server/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME?= postgresql
-DISTVERSION?= 9.1.8
+DISTVERSION?= 9.1.9
PORTREVISION?= 0
CATEGORIES?= databases
MASTER_SITES= PGSQL
Modified: head/databases/postgresql91-server/distinfo
==============================================================================
--- head/databases/postgresql91-server/distinfo Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql91-server/distinfo Thu Apr 4 13:21:22 2013 (r315718)
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.1.8.tar.bz2) = 1d88f9dda24062dbfcc09aca9a316981f2aa93322613b853cf32d7a431b44c6d
-SIZE (postgresql/postgresql-9.1.8.tar.bz2) = 15815313
+SHA256 (postgresql/postgresql-9.1.9.tar.bz2) = 28a533e181009308722e8b3c51f1ea7224ab910c380ac1a86f07118667602dd8
+SIZE (postgresql/postgresql-9.1.9.tar.bz2) = 15815421
SHA256 (postgresql/pg-910-icu-2012-12-19.diff.gz) = 61ef9c9b55b63b63b0fb108dfef086f92e9c43b5bd934fab9639b31f91193611
SIZE (postgresql/pg-910-icu-2012-12-19.diff.gz) = 4386
Modified: head/databases/postgresql91-server/pkg-plist-server
==============================================================================
--- head/databases/postgresql91-server/pkg-plist-server Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql91-server/pkg-plist-server Thu Apr 4 13:21:22 2013 (r315718)
@@ -417,6 +417,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Asia/Kashgar
%%TZDATA%%share/postgresql/timezone/Asia/Kathmandu
%%TZDATA%%share/postgresql/timezone/Asia/Katmandu
+%%TZDATA%%share/postgresql/timezone/Asia/Khandyga
%%TZDATA%%share/postgresql/timezone/Asia/Kolkata
%%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk
%%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur
@@ -461,6 +462,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar
%%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator
%%TZDATA%%share/postgresql/timezone/Asia/Urumqi
+%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera
%%TZDATA%%share/postgresql/timezone/Asia/Vientiane
%%TZDATA%%share/postgresql/timezone/Asia/Vladivostok
%%TZDATA%%share/postgresql/timezone/Asia/Yakutsk
@@ -569,6 +571,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Europe/Brussels
%%TZDATA%%share/postgresql/timezone/Europe/Bucharest
%%TZDATA%%share/postgresql/timezone/Europe/Budapest
+%%TZDATA%%share/postgresql/timezone/Europe/Busingen
%%TZDATA%%share/postgresql/timezone/Europe/Chisinau
%%TZDATA%%share/postgresql/timezone/Europe/Copenhagen
%%TZDATA%%share/postgresql/timezone/Europe/Dublin
Modified: head/databases/postgresql92-server/Makefile
==============================================================================
--- head/databases/postgresql92-server/Makefile Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql92-server/Makefile Thu Apr 4 13:21:22 2013 (r315718)
@@ -2,11 +2,11 @@
# $FreeBSD$
PORTNAME?= postgresql
-DISTVERSION?= 9.2.3
+DISTVERSION?= 9.2.4
PORTREVISION?= 0
CATEGORIES?= databases
MASTER_SITES= PGSQL
-MASTER_SITE_SUBDIR= source/v${DISTVERSION:S,beta,.0&,}
+MASTER_SITE_SUBDIR= source/v${DISTVERSION}
PKGNAMESUFFIX?= -server
MAINTAINER?= pgsql at FreeBSD.org
Modified: head/databases/postgresql92-server/distinfo
==============================================================================
--- head/databases/postgresql92-server/distinfo Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql92-server/distinfo Thu Apr 4 13:21:22 2013 (r315718)
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.2.3.tar.bz2) = c4f5a63290c0c32d8d9899edee8188d0c8ab124a7199b154fac75e62eec35f7f
-SIZE (postgresql/postgresql-9.2.3.tar.bz2) = 16371616
+SHA256 (postgresql/postgresql-9.2.4.tar.bz2) = d97dd918a88a4449225998f46aafa85216a3f89163a3411830d6890507ffae93
+SIZE (postgresql/postgresql-9.2.4.tar.bz2) = 16395184
SHA256 (postgresql/pg-910-icu-2012-12-19.diff.gz) = 61ef9c9b55b63b63b0fb108dfef086f92e9c43b5bd934fab9639b31f91193611
SIZE (postgresql/pg-910-icu-2012-12-19.diff.gz) = 4386
Modified: head/databases/postgresql92-server/pkg-plist-server
==============================================================================
--- head/databases/postgresql92-server/pkg-plist-server Thu Apr 4 13:08:21 2013 (r315717)
+++ head/databases/postgresql92-server/pkg-plist-server Thu Apr 4 13:21:22 2013 (r315718)
@@ -122,6 +122,7 @@ share/postgresql/extension/plpgsql.contr
%%GETTEXT%%share/locale/ru/LC_MESSAGES/plpgsql-9.2.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/postgres-9.2.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/initdb-9.2.mo
+%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_ctl-9.2.mo
%%GETTEXT%%share/locale/tr/LC_MESSAGES/initdb-9.2.mo
%%GETTEXT%%share/locale/tr/LC_MESSAGES/pg_controldata-9.2.mo
%%GETTEXT%%share/locale/tr/LC_MESSAGES/pg_resetxlog-9.2.mo
@@ -413,6 +414,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Asia/Kashgar
%%TZDATA%%share/postgresql/timezone/Asia/Kathmandu
%%TZDATA%%share/postgresql/timezone/Asia/Katmandu
+%%TZDATA%%share/postgresql/timezone/Asia/Khandyga
%%TZDATA%%share/postgresql/timezone/Asia/Kolkata
%%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk
%%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur
@@ -457,6 +459,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar
%%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator
%%TZDATA%%share/postgresql/timezone/Asia/Urumqi
+%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera
%%TZDATA%%share/postgresql/timezone/Asia/Vientiane
%%TZDATA%%share/postgresql/timezone/Asia/Vladivostok
%%TZDATA%%share/postgresql/timezone/Asia/Yakutsk
@@ -565,6 +568,7 @@ share/postgresql/snowball_create.sql
%%TZDATA%%share/postgresql/timezone/Europe/Brussels
%%TZDATA%%share/postgresql/timezone/Europe/Bucharest
%%TZDATA%%share/postgresql/timezone/Europe/Budapest
+%%TZDATA%%share/postgresql/timezone/Europe/Busingen
%%TZDATA%%share/postgresql/timezone/Europe/Chisinau
%%TZDATA%%share/postgresql/timezone/Europe/Copenhagen
%%TZDATA%%share/postgresql/timezone/Europe/Dublin
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Apr 4 13:08:21 2013 (r315717)
+++ head/security/vuxml/vuln.xml Thu Apr 4 13:21:22 2013 (r315718)
@@ -51,6 +51,63 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="3f332f16-9b6b-11e2-8fe9-08002798f6ff">
+ <topic>PostgreSQL -- anonymous remote access data corruption vulnerability</topic>
+ <affects>
+ <package>
+ <name>postgresql-server</name>
+ <range><ge>8.3.0</ge><lt>8.3.21_1</lt></range>
+ <range><ge>8.4.0</ge><lt>8.4.17</lt></range>
+ <range><ge>9.0.0</ge><lt>9.0.13</lt></range>
+ <range><ge>9.1.0</ge><lt>9.1.9</lt></range>
+ <range><ge>9.2.0</ge><lt>9.2.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>PostgreSQL project reports:</p>
+ <blockquote cite="http://www.postgresql.org/about/news/1456/">
+ <p>
+ The PostgreSQL Global Development Group has released a security
+ update to all current versions of the PostgreSQL database system,
+ including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
+ fixes a high-exposure security vulnerability in versions 9.0 and
+ later. All users of the affected versions are strongly urged to apply
+ the update *immediately*.
+ </p>
+ <p>
+ A major security issue (for versions 9.x only) fixed in this release,
+ [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
+ makes it possible for a connection request containing a database name
+ that begins with "-" to be crafted that can damage or destroy files
+ within a server's data directory. Anyone with access to the port the
+ PostgreSQL server listens on can initiate this request. This issue was
+ discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
+ Software Center.
+ </p>
+ <p>
+ Two lesser security fixes are also included in this release:
+ [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
+ wherein random numbers generated by contrib/pgcrypto functions may be
+ easy for another database user to guess (all versions), and
+ [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
+ which mistakenly allows an unprivileged user to run commands that
+ could interfere with in-progress backups (for versions 9.x only).
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-1899</cvename>
+ <cvename>CVE-2013-1900</cvename>
+ <cvename>CVE-2013-1901</cvename>
+ </references>
+ <dates>
+ <discovery>2013-04-04</discovery>
+ <entry>2013-04-04</entry>
+ </dates>
+ </vuln>
+
<vuln vid="94976433-9c74-11e2-a9fc-d43d7e0c7c02">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-head
mailing list