The PostgreSQL Global Development Group has released an update to all supported
versions of the PostgreSQL database system, including 10.3, 9.6.8, 9.5.12,
9.4.17, and 9.3.22.
The purpose of this release is to address CVE-2018-1058, which describes how a
user can create like-named objects in different schemas that can change the
behavior of other users' queries and cause unexpected or malicious behavior,
also known as a "trojan-horse" attack. Most of this release centers around added
documentation that describes the issue and how to take steps to mitigate the
impact on PostgreSQL databases.
We strongly encourage all of our users to please visit
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
for a detailed explanation of CVE-2018-1058 and how to protect your PostgreSQL
installations.
After evaluating the documentation for CVE-2018-1058, a database administrator
may need to take follow up steps on their PostgreSQL installations to ensure
they are protected from exploitation.
Security: CVE-2018-1058
databases/cegobridge: update 1.3.0 -> 1.4.0
cego:
- Fix in CegoTableManager::updateTuple, while setting up expression
list, field list array must be setup BEFORE block ist set, since
field list is needed by block setup ( in case of subqueries for
prepare )
cegobridge:
- Adaptions for cego-2.39
Submitted by: Bjoern Lemke <lemke@lemke-it.com>
- Introduced table locking statements to set an explicit lock on a
table ( e.g. for update synchronisation ). This feature replaces
the "set update sync on/off" command
- Trigger implementation basically completed
- Fix in CegoQueryHelper::encodeFVL, for blob/clob values lists,
the corresponding index variables ( blobidx/clobidx ) have not been
increaed while encoding lob data. This might lead to invalid results
and seg faults in case of multiple lobs values in one insert/update
operation.
Submitted by: Bjoern Lemke <lemke@lemke-it.com>
- For heavy update operations on tables with btrees using embedding
transactions, duplicate btree errors may occur. This is caused
by not checking corresponding tuple states. To solve this problem,
the following fixes have been done :
o Fix in CegoTableManager::checkBTreeIntegrity : The tuple state for
found entries has to be checked if state = COMMITTED
o Fix in CegoBTreeNode:checkForAffected ( was checkForDeleted before ) :
The tuple state has already checked for state
INSERTED if tid != dataTid
Submitted by: Bjoern Lemke <lemke@lemke-it.com>
While here:
- set EXPIRATION_DATE and mark DEPRECATED because of incoming EOL
- clean up conflicts
- add LIB_DEPENDS when option is set
- regenerate patches with make makepatch
Upstream has renamed its libraries and we no longer need to patch
devel/qscintilla-qt5 to create a library whose name does not conflict with
devel/qscintilla's. However, the library names are different so we need to bump
PORTREVISION in several ports (the SOVERSION has changed too).
Thanks to antoine for the exp-run.
PR: 225928
toplsqltext.cpp:80:19: error: cannot initialize a member subobject of type 'const char *' with an rvalue of type 'bool'
{ NULL, NULL, false, false}
^~~~~
the current rc.d script uses the pidfile variable before its
defined. This breaks the daemon script.
Approved by: jrm (mentor), sunpoet
MFH: 2018Q1
Sponsored by: https://iwantmyname.com/
Differential Revision: https://reviews.freebsd.org/D13580
This prepares the update of www/gitlab to 10.4 update
which requires this specific version
Submitted by: Matthias Fechner <idefix@fechner.net>
Reviewed by: swills, tz
This prepares the update of www/gitlab to 10.4 update
which requires this specific version
Submitted by: Matthias Fechner <idefix@fechner.net>
Reviewed by: swills, tz
This prepares the update of www/gitlab to 10.4 update
which requires this specific version
Submitted by: Matthias Fechner <idefix@fechner.net>
Reviewed by: swills, tz
r460809 started installing .pyi with the %%PYTHON3%% substitution in the
plists. Support for .pyi files was added in Python 3.5, and PyQt's configure.py
only installs the files on Python >= 3.5.
This patch removes the version checks from configure.py (the files are just
unused in earlier Python versions), as it is easier than checking Python 3's
version in each PyQt port's Makefile (or to add the logic to Mk/Uses/pyqt.mk).
PR: 225773
Reviewed by: tcberner
Differential Revision: https://reviews.freebsd.org/D14361
- Fix in dbcheck/check065.sql for union sql in view.There must be
set up aliases for attributes in selection now
Submitted by: Bjoern Lemke <lemke@lemke-it.com>
2018-01-01 devel/p5-Parse-Pidl: yes
2018-02-08 devel/rubygem-piston: No longer maintained upstream
2017-04-05 databases/postgresql92-server: PostgreSQL 9.2 support has reached End-of-line. Please upgrade to a later version.
This is done for
* consistency,
* and to simplify the import of the newer KDE Plasma5 desktop and KDE applications
Bumps the dependencies.
Reviewed by: adridg
Differential Revision: https://reviews.freebsd.org/D12979
This removes build dependency on gcc and runtime dependency on gcc's runtime libraries.
Big thanks to Gleb for working on this.
PR: 225185
Submitted by: Gleb Popov <6yearold@gmail.com>
Exp-run by: antoine
Reviewed by: pgj
Differential Revision: https://reviews.freebsd.org/D12043
Now that both USE_GCC and -CURRENT default to C++14 there's little
reason to complicate maintenance. Revert r449685 to usher consumers
into post-C++11 world.
PR: 222433 222434 222435
While we're here, fix up some variable names to ensure that all of the
scripts work (e.g., /usr/local/etc/rc.d/neo4j).
Approved by: crees
Differential Revision: https://reviews.freebsd.org/D14260
2018-02-08 Security Update Release
==================================
The PostgreSQL Global Development Group has released an update to all supported
versions of our database system, including 10.2, 9.6.7, 9.5.11, 9.4.16, 9.3.21.
This release fixes two security issues. This release also fixes issues with
VACUUM, GIN indexes, and hash indexes that could lead to data corruption, as
well as fixes for using parallel queries and logical replication.
All users using the affected versions of PostgreSQL should update as soon as
possible. Please see the notes on "Updating" below for any post-update steps
that may be required.
Please note that PostgreSQL changed its versioning scheme with the release of
version 10.0, so updating to version 10.2 from 10.0 or 10.1 is considered a
minor update.
Security Issues
---------------
Two security vulnerabilities have been fixed by this release:
* CVE-2018-1052: Fix the processing of partition keys containing multiple
expressions
* CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are
non-world-readable
Local fixes to the FreeBSD ports
--------------------------------
Inform users about data checksums [1].
Make sure /usr/bin/su is used regardless of PATH settings [2].
Enable DTRACE by default [3].
PR: 214671 [1], 223157 [2], 215028 [3]
Security: c602c791-0cf4-11e8-a2ec-6cc21735f730
After r328331 changes in head/etc/rc.subr, having "NO" in mysql_limits
goes into "limits" command params as is.
So this patch substitutes the "NO" appropriately when needed.
PR: 225657
Reported by: robbak@gmail.com
Reviewed by: Rainer Hurling <rhurlin@gwdg.de>
Sponsored by: Netzkommune GmbH
Part of the pkg-message points about .mysql_secret file which
isn't case about new mysql56 release anymore.
Delete no-more-valid part.
(The case still is a thing for 57 and 80)
PR: 225696
Reported by: knezour@weboutsourcing.cz
Sponsored by: Netzkommune GmbH
<ChangeLog>
Upgrade urgency CRITICAL ONLY for Redis Cluster users. Otherwise no reason
to upgrade at all.
Redis 4.0.8 fixes a single critical bug in the radix tree data structure
used for Redis Cluster keys slot tracking. The problem was actually fixed
10 months ago into unstable, but it was fixed in a commit related to Streams
so it was never backported (for error) into the 4.0 branch.
The problem will crash Redis Cluster instances during deletions, but it is
very hard to trigger: only when the node removed is in the edge of a memory
mapped area there are the conditions to create an issue, because otherwise
the code just accesses an out of range word in read-only way in an allocated
structure: this is almost always harmless.
</ChangeLog>
- Fix in CegoTableManager::createForeignKey, for empty tables,
referenced attributes names have not been checked. This might lead
to invalid key objects.
- Fix in CegoSelect::prepare, expression alias in select list are
checked now for union selects. Alias definition in select expression
list should be identical for all select statements in union
Submitted by: Bjoern Lemke <lemke@lemke-it.com>
- Convert USE_EMACS to USES=emacs
- Remove editors/emacs-nox11 (refer to nox flavors of editors/emacs and
editors/emacs-devel)
- Permit default Emacs flavor to be specified in make.conf
- Rename japanese/migemo-emacs23 to japanese/migemo-emacs
- Update and simplify audio/emms and fix build on FreeBSD 10 [1]
- Update databases/bbdd and fix build on FreeBSD 10 [1]
- Update editors/emacs-devel
- Ensure Makefile shell commands that change directory are executed in a
subshell
- Silence some portlint warnings
[1] By not depending on base texinfo
PR: 225404
Reviewed by: antoine
Approved by: portmgr (mat) ashish (maintainer)
Differential Revision: https://reviews.freebsd.org/D13506
