A major security issue fixed in this release, CVE-2013-1899, makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request.
Two lesser security fixes are also included in this release: CVE-2013-1900, wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess, and CVE-2013-1901, which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups. Finally, this release fixes two security issues with the graphical installers for Linux and Mac OS X: insecure passing of superuser passwords to a script, CVE-2013-1903 and the use of predictable filenames in /tmp CVE-2013-1902.
to tech-pkg:
=====
* USE_BUILDLINK3=YES will be unconditional. (In fact, USE_BUILDLINK3 will
be ignored altogether by mk/; but see below.)
* NO_BUILDLINK and NO_WRAPPER will be ignored by mk/. If a build happens,
these phases will happen.
* The existing NO_BUILD will imply the previous NO_BUILDLINK and NO_WRAPPER.
If no build happens, those phases are not needed.
* NO_TOOLS will be ignored by mk/. The tools phase, which provides much
more than just the C compiler, will always happen regardless of package.
This will make metapackage builds only slightly slower, in trade for far
less user error.
pkgsrc. It is modeled after lang/python/pyversion.mk and like it
could be influenced by user- and package-settable variables.
More precisely, tt's behaviour is controlled by the following
two variables:
- PGSQL_VERSION_DEFAULT
A user-settable variable to choose the default PostgreSQL version.
Default: 74
- PGSQL_VERSIONS_ACCEPTED
A package-settable list of PostgreSQL versions accepted by the package.
Default: 74 73
After postgresql-* has been reimported as postgresql73* all depending
packages should be changed to use mk/pgsql.buildlink3.mk.
