Security Fixes for Regular Expressions, PL/Java
This release closes security hole CVE-2016-0773, an issue with regular
expression (regex) parsing. Prior code allowed users to pass in expressions
which included out-of-range Unicode characters, triggering a backend crash.
This issue is critical for PostgreSQL systems with untrusted users or which
generate regexes based on user input.
The update also fixes CVE-2016-0766, a privilege escalation issue for users of
PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be
modifiable only by the database superuser
URL: http://www.postgresql.org/about/news/1644/
Security: CVE-2016-0773, CVE-2016-0766
pg_upgrade. Other where added in 9.5, but the port failed to install them.
Make sure they are properly installed by the correct port (-client or -server) [1]
Remove unused and hence confusing OSSP_UUID parameters from Makefile [2]
Add options to allow user to be set for the backup script in periodic.
Add this option only to 9.5 for now. It will be updated to other servers at
next regular patch release. [3]
The path to perl in hard coded into pgxs/src/Makefile.global which is
then installed. Hence, we must depend on perl when that file is installed.
Noticed by: Paul Guyot [1]
PR: 192387 [2]
PR: 172110 [3]
PR: 206046 [4]
Two security issues have been fixed in this release which affect users
of specific PostgreSQL features:
CVE-2015-5289: json or jsonb input values constructed from arbitrary
user input can crash the PostgreSQL server and cause a denial of
service.
CVE-2015-5288: The crypt( function included with the optional pgCrypto
extension could be exploited to read a few additional bytes of memory.
No working exploit for this issue has been developed.
This update will also disable SSL renegotiation by default;
previously, it was enabled by default. SSL renegotiation will be
removed entirely in PostgreSQL versions 9.5 and later.
URL: http://www.postgresql.org/about/news/1615/
Security: CVE-2015-5288 CVE-2015-5289
Earlier update releases attempted to fix an issue in PostgreSQL 9.3 and 9.4
with "multixact wraparound", but failed to account for issues doing multixact
cleanup during crash recovery. This could cause servers to be unable to restart
after a crash. As such, all users of 9.3 and 9.4 should apply this update as
soon as possible.
URL: http://www.postgresql.org/about/news/1592/
The update is mostly to fix the file persmission problem described
in the URL below. You might want to wait until next upgrade, depending
on you local configuration.
URL: http://www.postgresql.org/about/news/1590/
Data Corruption Fix
For users of PostgreSQL versions 9.3 or 9.4, this release fixes a problem where
the database will fail to protect against "multixact wraparound", resulting in
data corruption or loss. Users with a high transaction rate (1 million or more
per hour) in a database with many foreign keys are especially vulnerable. We
strongly urge all users of 9.4 and 9.3 to update their installations in the
next few days.
Users of versions 9.2 and earlier are not affected by this issue.
Security: fc38cd83-00b3-11e5-8ebd-0026551a22dc
- Replace ${MASTER_SITE_FOO} with FOO.
- Merge MASTER_SITE_SUBDIR into MASTER_SITES when possible. (This means 99.9%
of the time.)
- Remove occurrences of MASTER_SITE_LOCAL when no subdirectory was present and
no hint of what it should be was present.
- Fix some logic.
- And generally, make things more simple and easy to understand.
While there, add magic values to the FESTIVAL, GENTOO, GIMP, GNUPG, QT and
SAMBA macros.
Also, replace some EXTRACT_SUFX occurences with USES=tar:*.
Checked by: make fetch-urlall-list
With hat: portmgr
Sponsored by: Absolight
This update fixes multiple security issues reported in PostgreSQL over the past
few months. All of these issues require prior authentication, and some require
additional conditions, and as such are not considered generally urgent.
However, users should examine the list of security holes patched below in case
they are particularly vulnerable.
Security: CVE-2015-0241,CVE-2015-0242,CVE-2015-0243,
CVE-2015-0244,CVE-2014-8161
uuid-ossp patch has been outdated with irrelevant changes (for us),
so massage back in.
In head of postgresql, this is handled properly, so eventually the ossp patches
can go.
a zeising, kwm production, with help from dumbbell, bdrewery:
NEW XORG ON FREEBSD 9-STABLE AND 10-STABLE
This update switches over to use the new xorg stack by default on FreeBSD 9
and 10 stable, on osversions where vt(9) is available.
It is still possible to use the old stack by specifying WITHOUT_NEW_XORG in
/etc/make.conf .
FreeBSD 8-STABLE and released versions of FreeBSD still use
the old version.
A package repository with binary packages for new xorg will
be available soon.
This patch also contains updates of libxcb and related ports, pixman, as well
as some drivers and utilities.
Bump portrevisions for xf86-* ports, as well as virtualbox-ose-additions due
to xserver version change.
Apart from these updates, the way shared libraries are handled has been
changed for all xorg ports, as well as libxml2 and freetype, which means
ltverhack is gone and as a consequence shared libraries have been bumped.
The plan is that this change will make library bumps less likely in the
future.
All affected ports have had their portrevisions bumped as a consequence of
this.
Fix some issues where WITH_NEW_XORG weren't detected properly on CURRENT.
Update instructions, hardware support, and more notes can be found on
https://wiki.freebsd.org/Graphics
Thanks to: all testers, bdrewery and the FreeBSD x11@ team
exp-run by: bdrewery [1]
PR: ports/187602 [1]
Approved by: portmgr (bdrewery), core (jhb)
version of the database system, including versions 9.3.4, 9.2.8, 9.1.13,
9.0.17, and 8.4.21. This minor release fixes a data corruption issue with
replication and crash recovery in version 9.3, as well as several other minor
issues in all versions. All users of version 9.3 are urged to update their
installations at the next possible downtime. Users of older versions should
update at their convenience.
The data corruption issue in PostgreSQL 9.3 affects binary replication
standbys, servers being recovered from point-in-time-recovery backup, and
standalone servers which recover from a system crash. The bug causes
unrecoverable index corruption during recovery due to incorrect replay of row
locking operations. This can then cause query results to be inconsistent
depending on whether or not an index is used, and eventually lead to primary
key violations and similar issues. For this reason, users are encouraged to
replace each of their standby databases with a new base backup after applying
the update.
See release notes for more changes.
URL: http://www.postgresql.org/docs/current/static/release.html
URL: https://wiki.postgresql.org/wiki/20140320UpdateIssues
A change specific to the FreeBSD port:
Modify the contrib/uuid-ossp to actually work (not crashing the backend) by
using the libc implementation of uuid instead of the ossp port. Schemas and
queries will just work. Based on the work of Andrew Gierth. 9.1+ EXTENSION
support added by girgen@.
URL: http://pgfoundry.org/projects/uuid-freebsd
PR: ports/121745, ports/182846
update to all supported versions of the PostgreSQL database system,
which includes minor versions 9.3.3, 9.2.7, 9.1.12, 9.0.16, and
8.4.20. This update contains fixes for multiple security issues, as
well as several fixes for replication and data integrity issues. All
users are urged to update their installations at the earliest
opportunity, especially those using binary replication or running a
high-security application.
This update fixes CVE-2014-0060, in which PostgreSQL did not properly
enforce the WITH ADMIN OPTION permission for ROLE management. Before
this fix, any member of a ROLE was able to grant others access to the
same ROLE regardless if the member was given the WITH ADMIN OPTION
permission. It also fixes multiple privilege escalation issues,
including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, and CVE-2014-0066. More information on these issues can
be found on our security page and the security issue detail wiki page.
Security: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063
CVE-2014-0064,CVE-2014-0065,CVE-2014-0066,CVE-2014-0067
to all supported versions of the PostgreSQL database system, which
includes minor versions 9.3.2, 9.2.6, 9.1.11, 9.0.15, and 8.4.19. This
update fixes three serious data-loss bugs affecting replication and
database maintenance. All users are urged to update their
installations at the earliest opportunity.
URL: http://www.postgresql.org/about/news/1492/
Note that users of the hstore extension on version 9.3 must take an additional,
post upgrade step of running "ALTER EXTENSION hstore UPDATE" in each database
after update.
URL: http://www.postgresql.org/about/news/1487/
