From owner-freebsd-questions@FreeBSD.ORG Fri Apr 13 12:12:05 2012 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0AC7A106564A for ; Fri, 13 Apr 2012 12:12:05 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 5E40B8FC1C for ; Fri, 13 Apr 2012 12:12:04 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q3DCBxAk041930 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 13 Apr 2012 13:11:59 +0100 (BST) (envelope-from matthew@FreeBSD.org) X-DKIM: OpenDKIM Filter v2.5.1 smtp.infracaninophile.co.uk q3DCBxAk041930 Authentication-Results: smtp.infracaninophile.co.uk/q3DCBxAk041930; dkim=none (no signature); dkim-adsp=none Message-ID: <4F881808.9080007@FreeBSD.org> Date: Fri, 13 Apr 2012 13:11:52 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: FreeBSD References: In-Reply-To: X-Enigmail-Version: 1.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB7DA54B313040B26AFE6560E" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: Carmel Subject: Re: How to handle postgresql82-client vulnerability X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 12:12:05 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB7DA54B313040B26AFE6560E Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 13/04/2012 12:23, Carmel wrote: > I am working on an older machine that has "postgresql-client-8.2.23" > installed. I have the following information regarding the program: >=20 > $ pkg_info -R postgresql-client-8.2.23 > Information for postgresql-client-8.2.23: >=20 > Required by: > koffice-kde4-2.3.3_7 > postgresql-libpqxx-3.0.2 >=20 > Attempting to build the program produces this error: >=20 > =3D=3D=3D> postgresql-client-8.2.23 is forbidden: Vulnerable http://ww= w.postgresql.org/about/news/1377/. > *** Error code 1 >=20 > Stop in /usr/ports/databases/postgresql82-client. postgresql-8.2 is out of support upstream. It's only still in the ports because no one has realised it's past its expiry date and removed it yet.= Given the unfixed security problems, you should upgrade to a newer version ASAP. > I cannot find anything in the UPDATING or MOVED files that details how > to deal with this. Would something like: >=20 > portupgrade -o databases/postgresql90-client postgresql82-client >=20 > be the proper way to handle this problem? Would I then have to rebuild > koffice-kde4-2.3.3_7 and postgresql-libpqxx-3.0.2 to insure that everyt= hing works correctly? Correct, as far as dealing with the ports goes. Yes, you will have to recompile anything that links against libpq.so.X, which is probably more than shows up in the output of 'pkg_info -R' -- you can use the lib_chk script from bsdadminscripts to find everything that needs to be rebuilt. Or just 'portmaster -r databases/postgresql90-client' However, there is no guarantee that you can just start up postgresql90 and expect it to work with the postgresql82 data directory. (Although why not postgresql91 rather than 90? There's no good reason not to use the latest release.) As the ports don't support installing several versions of postgresql simultaneously, or encode the postgres version into the PGDATA path (which is a fairly standard approach on various other unixoid environments) you won't be able to use pg_upgrade easily. Given that in-place updates are not feasible, you should dump the contents of your database cluster and then reload it into a newly created cluster using the latest version. The PG documentation recommends using the client from the version you are updating to for creating the dumps, or else they may not reload cleanly. In fact, there are changes between 8.x and 9.0 to do with the encoding of non-ascii character data which are quite likely to cause difficulties for you. Note that you can install an updated client on a different box and dump remotely as a relatively simple way of using a new client to access an older DB. Ideally you should create a brand new DB cluster on a separate system, so you can have as many goes at pulling the data over from your original database as you need to get it right without destroying the originals. If you lack the resources to do that, then better make sure you've got good backups. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigB7DA54B313040B26AFE6560E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+IGA8ACgkQ8Mjk52CukIykdQCfXi7zJK0hj48zJZv+LLMbwMEz yC4An345wPM+byn9WhNJrKT1GQOD25Zu =d1YM -----END PGP SIGNATURE----- --------------enigB7DA54B313040B26AFE6560E--