a19564c6fa
PostgreSQL 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24 Security Issues CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. The PostgreSQL project thanks Jacob Champion for reporting this problem. CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle Versions Affected: 9.6 - 14. The security team typically does not test unsupported versions, but this problem is quite old. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient). The PostgreSQL project thanks Jacob Champion for reporting this problem. Bug Fixes and Improvements This update fixes over 40 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 14. Some of these issues may also affect other supported versions of PostgreSQL. Some of these fixes include: Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record. When applying this update, update your standby servers before the primary so that they will be ready to handle the fix if the primary happens to crash. Fix parallel VACUUM so that it will process indexes below the min_parallel_index_scan_size threshold if the table has at least two indexes that are above that size. This problem does not affect autovacuum. If you are affected by this issue, you should reindex any manually-vacuumed tables. Fix causes of CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY writing corrupt indexes. You should reindex any concurrently-built indexes. Fix for attaching/detaching a partition that could allow certain INSERT/UPDATE queries to misbehave in active sessions. Fix for creating a new range type with CREATE TYPE that could cause problems for later event triggers or subsequent executions of the CREATE TYPE command. Fix updates of element fields in arrays of a domain that is a part of a composite. Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED. Fix corner-case loss of precision in the numeric power() function. Fix restoration of a Portal's snapshot inside a subtransaction, which could lead to a crash. For example, this could occur in PL/pgSQL when a COMMIT is immediately followed by a BEGIN ... EXCEPTION block that performs a query. Clean up correctly if a transaction fails after exporting its snapshot. This could occur if a replication slot was created then rolled back, and then another replication slot was created in the same session. Fix for "overflowed-subtransaction" wraparound tracking on standby servers that could lead to performance degradation. Ensure that prepared transactions are properly accounted for during promotion of a standby server. Ensure that the correct lock level is used when renaming a table. Avoid crash when dropping a role that owns objects being dropped concurrently. Disallow setting huge_pages to on when shared_memory_type is sysv Fix query type checking in the PL/pgSQL RETURN QUERY. Several fixes for pg_dump, including the ability to dump non-global default privileges correctly. Use the CLDR project's data to map Windows time zone names to IANA time zones. This update also contains tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga. Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
138 lines
4.5 KiB
Text
138 lines
4.5 KiB
Text
# $NetBSD: Makefile.common,v 1.17 2021/11/16 10:14:37 adam Exp $
|
|
#
|
|
# This Makefile fragment is included by all PostgreSQL packages built from
|
|
# the main sources of the PostgreSQL distribution except jdbc-postgresql.
|
|
#
|
|
# The PostgreSQL package naming scheme, aside from the obvious piecewise
|
|
# packages, is as follows:
|
|
# <lang>-postgresql client-side interface to PostgreSQL
|
|
# postgresql-<lang> server-side module for PostgreSQL backend
|
|
#
|
|
# used by databases/postgresql12-client/Makefile
|
|
# used by databases/postgresql12-contrib/Makefile
|
|
# used by databases/postgresql12-docs/Makefile
|
|
# used by databases/postgresql12-plperl/Makefile
|
|
# used by databases/postgresql12-plpython/Makefile
|
|
# used by databases/postgresql12-pltcl/Makefile
|
|
# used by databases/postgresql12-server/Makefile
|
|
|
|
DISTNAME= postgresql-12.9
|
|
CATEGORIES= databases
|
|
MASTER_SITES= ${MASTER_SITE_PGSQL:=source/v${PKGVERSION_NOREV}/}
|
|
EXTRACT_SUFX= .tar.bz2
|
|
|
|
MAINTAINER?= adam@NetBSD.org
|
|
HOMEPAGE= https://www.postgresql.org/
|
|
LICENSE= postgresql-license
|
|
|
|
CONFLICTS+= postgresql-[0-9]*
|
|
CONFLICTS+= postgresql[2-9][0-9]-[0-9]*
|
|
|
|
.if !empty(PKGNAME:M*-*-*)
|
|
module= ${PKGNAME:C/-[0-9].*$//:C/^.*-//}
|
|
CONFLICTS+= postgresql[2-9][0-9]-${module}-[0-9]*
|
|
.endif
|
|
|
|
DISTINFO_FILE?= ${.CURDIR}/../../databases/postgresql12/distinfo
|
|
PATCHDIR?= ${.CURDIR}/../../databases/postgresql12/patches
|
|
|
|
USE_PKGLOCALEDIR= yes
|
|
USE_TOOLS+= bison gmake lex
|
|
PKG_SYSCONFSUBDIR= postgresql
|
|
|
|
.include "../../mk/bsd.prefs.mk"
|
|
|
|
PG_TEMPLATE.SunOS= solaris
|
|
PG_TEMPLATE.IRIX= irix5
|
|
PG_TEMPLATE.MirBSD= openbsd
|
|
PG_TEMPLATE.DragonFly= freebsd
|
|
.if !defined(PG_TEMPLATE.${OPSYS})
|
|
PG_TEMPLATE.${OPSYS}= ${LOWER_OPSYS}
|
|
.endif
|
|
|
|
PG_DATA_DIR= ${PREFIX}/share/postgresql
|
|
PG_DOC_DIR= ${PREFIX}/share/doc/postgresql
|
|
PG_LOCALE_DIR= ${PREFIX}/${PKGLOCALEDIR}/locale
|
|
PG_ETC_DIR= ${PKG_SYSCONFDIR}
|
|
|
|
GNU_CONFIGURE= yes
|
|
CONFIGURE_ARGS+= --sysconfdir=${PG_ETC_DIR}
|
|
CONFIGURE_ARGS+= --datadir=${PG_DATA_DIR}
|
|
CONFIGURE_ARGS+= --docdir=${PG_DOC_DIR}
|
|
CONFIGURE_ARGS+= --localedir=${PG_LOCALE_DIR}
|
|
CONFIGURE_ARGS+= --with-template=${PG_TEMPLATE.${OPSYS}}
|
|
|
|
CONFIGURE_ARGS+= --with-libxml
|
|
CONFIGURE_ARGS+= --with-readline
|
|
CONFIGURE_ARGS+= --without-perl
|
|
CONFIGURE_ARGS+= --without-python
|
|
CONFIGURE_ARGS+= --without-tcl
|
|
|
|
# avoid pointing to a wrapper
|
|
CONFIGURE_ENV+= MSGFMT=${TOOLS_PATH.msgfmt}
|
|
|
|
# sys/ucred.h shouldn't be included on Solaris, causes conflicts between
|
|
# procfs and largefile.
|
|
CONFIGURE_ENV.SunOS+= ac_cv_header_sys_ucred_h=no
|
|
|
|
# pkgsrc silently filters the --as-needed linker arg, but that makes
|
|
# it leak into the pgxs Makefiles and compromises manual building
|
|
# against PostgreSQL files installed. Disable it here to prevent
|
|
# that from happening.
|
|
.if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin"
|
|
CONFIGURE_ENV+= pgac_cv_prog_cc_ldflags__Wl___as_needed=no
|
|
.endif
|
|
|
|
# Postgres on Alpha has no spinlock or memory barrier implementation
|
|
# and is "unlikely to work correctly".
|
|
# https://www.postgresql.org/message-id/E1X0yaj-000753-N6%40gemulon.postgresql.org
|
|
BROKEN_ON_PLATFORM+= *-*-alpha
|
|
|
|
.if ${MACHINE_ARCH} == "sparc"
|
|
CFLAGS.NetBSD+= -D__sparc_v8__
|
|
.endif
|
|
|
|
# configure fails on OpenBSD and MirBSD if thread safety is enabled.
|
|
CONFIGURE_ARGS.MirBSD+= --disable-thread-safety
|
|
CONFIGURE_ARGS.OpenBSD+= --disable-thread-safety
|
|
|
|
# PGSQL_BLCKSZ is the size in bytes of a PostgreSQL disk page or block.
|
|
# This also limits the size of a tuple. The valid values are powers
|
|
# of 2 up to 32768, and the default size is 8196. Please don't change
|
|
# this value unless you know what you are doing.
|
|
BUILD_DEFS+= PGSQL_BLCKSZ
|
|
.if defined(PGSQL_BLCKSZ)
|
|
CONFIGURE_ARGS+= --with-blocksize=${PGSQL_BLCKSZ}
|
|
.endif
|
|
|
|
# UUID support for contrib/uuid-ossp
|
|
# It has to be defined here, because it affects Makefile.global
|
|
.if ${OPSYS:M*BSD}
|
|
CONFIGURE_ARGS+= --with-uuid=bsd
|
|
.elif ${OPSYS} == "Darwin" || ${OPSYS} == "Linux"
|
|
CONFIGURE_ARGS+= --with-uuid=e2fs
|
|
.include "../../devel/libuuid/buildlink3.mk"
|
|
.elif ${OPSYS} == "SunOS"
|
|
CONFIGURE_ARGS+= --with-uuid=ossp
|
|
.include "../../devel/ossp-uuid/buildlink3.mk"
|
|
.endif
|
|
|
|
# PostgreSQL explicitly forbids any use of -ffast-math
|
|
BUILDLINK_TRANSFORM+= rm:-ffast-math
|
|
|
|
.include "../../devel/zlib/buildlink3.mk"
|
|
.include "../../textproc/libxml2/buildlink3.mk"
|
|
|
|
.include "../../mk/readline.buildlink3.mk"
|
|
.if ${READLINE_TYPE} == "editline"
|
|
CONFIGURE_ARGS+= --with-libedit-preferred
|
|
.endif
|
|
|
|
.if !defined(META_PACKAGE)
|
|
post-extract:
|
|
${TOUCH} ${WRKSRC}/src/template/dragonfly
|
|
${CP} ${WRKSRC}/src/makefiles/Makefile.freebsd \
|
|
${WRKSRC}/src/makefiles/Makefile.dragonfly
|
|
.endif
|
|
|
|
.include "../../databases/postgresql12/options.mk"
|