pkgsrc/databases/postgresql11-docs
adam 7cec332570 postgresqlNN: updated to 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24
PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24

Security Issues

Four security vulnerabilities have been closed by this release:

CVE-2019-10208: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution

Versions Affected: 9.4 - 11

Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact. As part of exploiting this vulnerability, the attacker uses CREATE DOMAIN to create a type in a pg_temp schema. The attack pattern and fix are similar to that for CVE-2007-2138.

Writing SECURITY DEFINER functions continues to require
following the considerations noted in the documentation:


The PostgreSQL project thanks Tom Lane for reporting this problem.

CVE-2019-10209: Memory disclosure in cross-type comparison for hashed subplan

Versions Affected: 11

In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples.

The PostgreSQL project thanks Andreas Seltenreich for reporting this problem.

CVE-2019-10210: EnterpriseDB Windows installer writes PostgreSQL superuser password to unprotected temporary file

Versions Affected: The EnterpriseDB Windows installer for versions 9.4 - 11

The EnterpriseDB Windows installer writes a password to a temporary file in its installation directory, creates initial databases, and deletes the file. During those seconds while the file exists, a local attacker can read the PostgreSQL superuser password from the file.

The PostgreSQL project thanks Noah Misch for reporting this problem.

CVE-2019-10211: EnterpriseDB Windows installer bundled OpenSSL executes code from unprotected directory

Versions Affected: The EnterpriseDB Windows installer for versions 9.4 - 11

When the database server or libpq client library initializes SSL, libeay32.dll attempts to read configuration from a hard-coded directory. Typically, the directory does not exist, but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq, and one can encounter this vulnerability by using any of them. This vulnerability is much like CVE-2019-5443, but it originated independently. One can work around the vulnerability by setting environment variable OPENSSL_CONF to "NUL:/openssl.cnf" or any other name that cannot exist as a file.

The PostgreSQL project thanks Daniel Gustafsson of the curl security team for reporting this problem.

Bug Fixes and Improvements

This update also fixes over 40 bugs that were reported in the last several months. Some of these issues affect only version 11, but many affect all supported versions.

Some of these fixes include:

Fix for ALTER TABLE ... ALTER COLUMN TYPE when multiple column types are modified in a single-command. This issue was introduced in the previous cumulative update (11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, and 12 beta 2).
Ensure that partition key columns will not be dropped as the result of an "indirect drop," such as from a cascade from dropping the key column's data type (e.g. a custom data type). This fix is applied only to newly created partitioned tables: if you believe you have an affected partition table (e.g. one where the partition key uses a custom data type), you will need to either create a new table and move your data into it OR use pg_upgrade.
Prevent dropping a partitioned table's trigger if there are pending trigger events in child partitions. This particularly affects foreign key constraints, which are implemented by triggers.
Several additional fixes for partitioning, including a fix for partition pruning that could lead to inefficient queries.
Fix for parallel hash joins that could lead to duplicate result rows in EXISTS queries.
Several fixes for the query planner.
Several fixes for issues that would lead to query deadlocks.
Fix for multi-column foreign keys when rebuilding a foreign key constraint.
Prevent extended statistics from being built for inherited tables.
Fix for the canonicalization of date ranges that include -infinity/infinity endpoints to ensure the behavior matches the documentation.
Fix loss of fractional digits when converting very large money values to numeric.
Fix for PL/pgSQL functions that return composite types.
Make libpq ignore the \r carriage return in connection service files, which was causing connection failures in some edge cases.
Several fixes for psql, which includes avoiding incorrect tab completion options after SET variable =.
Improve reliability of contrib/amcheck's index verification.
Set initdb to prefer the timezone behavior defined by the C library instead of what is defined by localtime or posixrules. This ensures PostgreSQL uses the "real" timezone name instead of an artificial name.
Fix pg_dump to ensure that custom operator classes are dumped in the correct order to prevent creating an unrestorable dump.
Fix possible lockup in pgbench when using -R option.
Fix spinlock assembly code for MIPS CPUs so that it works on MIPS r6.
This update also contains tzdata release 2019b for DST law changes in Brazil, plus historical corrections for Hong Kong, Italy, and Palestine. This update also adds support for zic's new -b slim option to reduce the size of the installed zone files, though it is not currently being used by PostgreSQL.
2019-08-11 11:40:10 +00:00
..
DESCR
Makefile
PLIST postgresqlNN: updated to 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 2019-08-11 11:40:10 +00:00