From owner-svn-ports-head@FreeBSD.ORG Thu Apr 4 13:21:26 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B1D0F667; Thu, 4 Apr 2013 13:21:26 +0000 (UTC) (envelope-from girgen@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 9556DFFC; Thu, 4 Apr 2013 13:21:26 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r34DLQAV064771; Thu, 4 Apr 2013 13:21:26 GMT (envelope-from girgen@svn.freebsd.org) Received: (from girgen@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r34DLN1G064749; Thu, 4 Apr 2013 13:21:23 GMT (envelope-from girgen@svn.freebsd.org) Message-Id: <201304041321.r34DLN1G064749@svn.freebsd.org> From: Palle Girgensohn Date: Thu, 4 Apr 2013 13:21:23 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r315718 - in head: databases/postgresql83-client databases/postgresql83-contrib databases/postgresql83-server databases/postgresql83-server/files databases/postgresql84-server databases... X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2013 13:21:26 -0000 Author: girgen Date: Thu Apr 4 13:21:22 2013 New Revision: 315718 URL: http://svnweb.freebsd.org/changeset/ports/315718 Log: The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security vulnerability in versions 9.0 and later. All users of the affected versions are strongly urged to apply the update *immediately*. A major security issue (for versions 9.x only) fixed in this release, [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899), makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center. Two lesser security fixes are also included in this release: [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900), wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess (all versions), and [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901), which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups (for versions 9.x only). Approved by: portmgr (bdrewery) URL: http://www.postgresql.org/about/news/1456/ Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899 Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900 Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901 Added: head/databases/postgresql83-server/files/patch-ssl-init-state (contents, props changed) Modified: head/databases/postgresql83-client/Makefile head/databases/postgresql83-contrib/Makefile head/databases/postgresql83-server/Makefile head/databases/postgresql84-server/Makefile head/databases/postgresql84-server/distinfo head/databases/postgresql90-server/Makefile head/databases/postgresql90-server/distinfo head/databases/postgresql90-server/pkg-plist-server head/databases/postgresql91-server/Makefile head/databases/postgresql91-server/distinfo head/databases/postgresql91-server/pkg-plist-server head/databases/postgresql92-server/Makefile head/databases/postgresql92-server/distinfo head/databases/postgresql92-server/pkg-plist-server head/security/vuxml/vuln.xml Modified: head/databases/postgresql83-client/Makefile ============================================================================== --- head/databases/postgresql83-client/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql83-client/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -8,8 +8,9 @@ # See Mk/bsd.databases.mk for more info PORTNAME= postgresql +PORTREVISION= 0 +PORTEPOCH= 1 PKGNAMESUFFIX= -client -PORTEPOCH= 1 COMMENT= PostgreSQL database (client) Modified: head/databases/postgresql83-contrib/Makefile ============================================================================== --- head/databases/postgresql83-contrib/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql83-contrib/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -2,6 +2,7 @@ # $FreeBSD$ PORTNAME= postgresql +PORTREVISION= 0 PKGNAMESUFFIX= -contrib CATEGORIES= databases Modified: head/databases/postgresql83-server/Makefile ============================================================================== --- head/databases/postgresql83-server/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql83-server/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -6,7 +6,7 @@ # DISTVERSION?= 8.3.23 -PORTREVISION?= 0 +PORTREVISION?= 1 PKGNAMESUFFIX?= -server MAINTAINER?= pgsql@FreeBSD.org Added: head/databases/postgresql83-server/files/patch-ssl-init-state ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/databases/postgresql83-server/files/patch-ssl-init-state Thu Apr 4 13:21:22 2013 (r315718) @@ -0,0 +1,25 @@ +--- src/backend/postmaster/fork_process.c.orig 2013-02-04 22:29:07.000000000 +0100 ++++ src/backend/postmaster/fork_process.c 2013-04-02 12:57:18.489126586 +0200 +@@ -15,6 +15,9 @@ + #include + #include + #include ++#ifdef USE_SSL ++#include ++#endif + + #ifndef WIN32 + /* +@@ -60,6 +63,12 @@ + setitimer(ITIMER_PROF, &prof_itimer, NULL); + #endif + ++ /* ++ * Make sure processes do not share OpenSSL randomness state. ++ */ ++#ifdef USE_SSL ++ RAND_cleanup(); ++#endif + } + + return result; Modified: head/databases/postgresql84-server/Makefile ============================================================================== --- head/databases/postgresql84-server/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql84-server/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME?= postgresql -DISTVERSION?= 8.4.16 +DISTVERSION?= 8.4.17 PORTREVISION?= 0 CATEGORIES?= databases MASTER_SITES= PGSQL Modified: head/databases/postgresql84-server/distinfo ============================================================================== --- head/databases/postgresql84-server/distinfo Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql84-server/distinfo Thu Apr 4 13:21:22 2013 (r315718) @@ -1,4 +1,4 @@ -SHA256 (postgresql/postgresql-8.4.16.tar.bz2) = 8d03d94d3957019227066f427ccb11232a823f2558e2f57e1ea2bc9ba004612f -SIZE (postgresql/postgresql-8.4.16.tar.bz2) = 14784029 +SHA256 (postgresql/postgresql-8.4.17.tar.bz2) = dc884c34ec3535d9f8b579155948a703def0574aca47292b97b82a8189cd0436 +SIZE (postgresql/postgresql-8.4.17.tar.bz2) = 14795028 SHA256 (postgresql/pg-840-icu-2009-09-15.diff.gz) = c09d3b59340a3bb6ea754e985739d4fbb47f730d1e48a357c5585825034fc72e SIZE (postgresql/pg-840-icu-2009-09-15.diff.gz) = 4321 Modified: head/databases/postgresql90-server/Makefile ============================================================================== --- head/databases/postgresql90-server/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql90-server/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -5,7 +5,7 @@ # $FreeBSD$ # -DISTVERSION?= 9.0.12 +DISTVERSION?= 9.0.13 PORTREVISION= 0 PKGNAMESUFFIX?= -server Modified: head/databases/postgresql90-server/distinfo ============================================================================== --- head/databases/postgresql90-server/distinfo Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql90-server/distinfo Thu Apr 4 13:21:22 2013 (r315718) @@ -1,4 +1,4 @@ -SHA256 (postgresql/postgresql-9.0.12.tar.bz2) = 80f06873cbdc8789abe6806dc52a708d9a7f4ac5432ffea4c069cbc33b2b1524 -SIZE (postgresql/postgresql-9.0.12.tar.bz2) = 15122949 +SHA256 (postgresql/postgresql-9.0.13.tar.bz2) = 51aea4d099defaee307ec3b9900837446931d1aa0c6717070fa25ed033af9977 +SIZE (postgresql/postgresql-9.0.13.tar.bz2) = 15139873 SHA256 (postgresql/pg-900-icu-2010-09-19.diff.gz) = 27cea46241ec814965c278330cd96f67ee03422b7758a210713a63b4b5bb77e9 SIZE (postgresql/pg-900-icu-2010-09-19.diff.gz) = 4349 Modified: head/databases/postgresql90-server/pkg-plist-server ============================================================================== --- head/databases/postgresql90-server/pkg-plist-server Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql90-server/pkg-plist-server Thu Apr 4 13:21:22 2013 (r315718) @@ -410,6 +410,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Asia/Kashgar %%TZDATA%%share/postgresql/timezone/Asia/Kathmandu %%TZDATA%%share/postgresql/timezone/Asia/Katmandu +%%TZDATA%%share/postgresql/timezone/Asia/Khandyga %%TZDATA%%share/postgresql/timezone/Asia/Kolkata %%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk %%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur @@ -454,6 +455,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar %%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator %%TZDATA%%share/postgresql/timezone/Asia/Urumqi +%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera %%TZDATA%%share/postgresql/timezone/Asia/Vientiane %%TZDATA%%share/postgresql/timezone/Asia/Vladivostok %%TZDATA%%share/postgresql/timezone/Asia/Yakutsk @@ -562,6 +564,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Europe/Brussels %%TZDATA%%share/postgresql/timezone/Europe/Bucharest %%TZDATA%%share/postgresql/timezone/Europe/Budapest +%%TZDATA%%share/postgresql/timezone/Europe/Busingen %%TZDATA%%share/postgresql/timezone/Europe/Chisinau %%TZDATA%%share/postgresql/timezone/Europe/Copenhagen %%TZDATA%%share/postgresql/timezone/Europe/Dublin Modified: head/databases/postgresql91-server/Makefile ============================================================================== --- head/databases/postgresql91-server/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql91-server/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME?= postgresql -DISTVERSION?= 9.1.8 +DISTVERSION?= 9.1.9 PORTREVISION?= 0 CATEGORIES?= databases MASTER_SITES= PGSQL Modified: head/databases/postgresql91-server/distinfo ============================================================================== --- head/databases/postgresql91-server/distinfo Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql91-server/distinfo Thu Apr 4 13:21:22 2013 (r315718) @@ -1,4 +1,4 @@ -SHA256 (postgresql/postgresql-9.1.8.tar.bz2) = 1d88f9dda24062dbfcc09aca9a316981f2aa93322613b853cf32d7a431b44c6d -SIZE (postgresql/postgresql-9.1.8.tar.bz2) = 15815313 +SHA256 (postgresql/postgresql-9.1.9.tar.bz2) = 28a533e181009308722e8b3c51f1ea7224ab910c380ac1a86f07118667602dd8 +SIZE (postgresql/postgresql-9.1.9.tar.bz2) = 15815421 SHA256 (postgresql/pg-910-icu-2012-12-19.diff.gz) = 61ef9c9b55b63b63b0fb108dfef086f92e9c43b5bd934fab9639b31f91193611 SIZE (postgresql/pg-910-icu-2012-12-19.diff.gz) = 4386 Modified: head/databases/postgresql91-server/pkg-plist-server ============================================================================== --- head/databases/postgresql91-server/pkg-plist-server Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql91-server/pkg-plist-server Thu Apr 4 13:21:22 2013 (r315718) @@ -417,6 +417,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Asia/Kashgar %%TZDATA%%share/postgresql/timezone/Asia/Kathmandu %%TZDATA%%share/postgresql/timezone/Asia/Katmandu +%%TZDATA%%share/postgresql/timezone/Asia/Khandyga %%TZDATA%%share/postgresql/timezone/Asia/Kolkata %%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk %%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur @@ -461,6 +462,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar %%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator %%TZDATA%%share/postgresql/timezone/Asia/Urumqi +%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera %%TZDATA%%share/postgresql/timezone/Asia/Vientiane %%TZDATA%%share/postgresql/timezone/Asia/Vladivostok %%TZDATA%%share/postgresql/timezone/Asia/Yakutsk @@ -569,6 +571,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Europe/Brussels %%TZDATA%%share/postgresql/timezone/Europe/Bucharest %%TZDATA%%share/postgresql/timezone/Europe/Budapest +%%TZDATA%%share/postgresql/timezone/Europe/Busingen %%TZDATA%%share/postgresql/timezone/Europe/Chisinau %%TZDATA%%share/postgresql/timezone/Europe/Copenhagen %%TZDATA%%share/postgresql/timezone/Europe/Dublin Modified: head/databases/postgresql92-server/Makefile ============================================================================== --- head/databases/postgresql92-server/Makefile Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql92-server/Makefile Thu Apr 4 13:21:22 2013 (r315718) @@ -2,11 +2,11 @@ # $FreeBSD$ PORTNAME?= postgresql -DISTVERSION?= 9.2.3 +DISTVERSION?= 9.2.4 PORTREVISION?= 0 CATEGORIES?= databases MASTER_SITES= PGSQL -MASTER_SITE_SUBDIR= source/v${DISTVERSION:S,beta,.0&,} +MASTER_SITE_SUBDIR= source/v${DISTVERSION} PKGNAMESUFFIX?= -server MAINTAINER?= pgsql@FreeBSD.org Modified: head/databases/postgresql92-server/distinfo ============================================================================== --- head/databases/postgresql92-server/distinfo Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql92-server/distinfo Thu Apr 4 13:21:22 2013 (r315718) @@ -1,4 +1,4 @@ -SHA256 (postgresql/postgresql-9.2.3.tar.bz2) = c4f5a63290c0c32d8d9899edee8188d0c8ab124a7199b154fac75e62eec35f7f -SIZE (postgresql/postgresql-9.2.3.tar.bz2) = 16371616 +SHA256 (postgresql/postgresql-9.2.4.tar.bz2) = d97dd918a88a4449225998f46aafa85216a3f89163a3411830d6890507ffae93 +SIZE (postgresql/postgresql-9.2.4.tar.bz2) = 16395184 SHA256 (postgresql/pg-910-icu-2012-12-19.diff.gz) = 61ef9c9b55b63b63b0fb108dfef086f92e9c43b5bd934fab9639b31f91193611 SIZE (postgresql/pg-910-icu-2012-12-19.diff.gz) = 4386 Modified: head/databases/postgresql92-server/pkg-plist-server ============================================================================== --- head/databases/postgresql92-server/pkg-plist-server Thu Apr 4 13:08:21 2013 (r315717) +++ head/databases/postgresql92-server/pkg-plist-server Thu Apr 4 13:21:22 2013 (r315718) @@ -122,6 +122,7 @@ share/postgresql/extension/plpgsql.contr %%GETTEXT%%share/locale/ru/LC_MESSAGES/plpgsql-9.2.mo %%GETTEXT%%share/locale/ru/LC_MESSAGES/postgres-9.2.mo %%GETTEXT%%share/locale/sv/LC_MESSAGES/initdb-9.2.mo +%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_ctl-9.2.mo %%GETTEXT%%share/locale/tr/LC_MESSAGES/initdb-9.2.mo %%GETTEXT%%share/locale/tr/LC_MESSAGES/pg_controldata-9.2.mo %%GETTEXT%%share/locale/tr/LC_MESSAGES/pg_resetxlog-9.2.mo @@ -413,6 +414,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Asia/Kashgar %%TZDATA%%share/postgresql/timezone/Asia/Kathmandu %%TZDATA%%share/postgresql/timezone/Asia/Katmandu +%%TZDATA%%share/postgresql/timezone/Asia/Khandyga %%TZDATA%%share/postgresql/timezone/Asia/Kolkata %%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk %%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur @@ -457,6 +459,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar %%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator %%TZDATA%%share/postgresql/timezone/Asia/Urumqi +%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera %%TZDATA%%share/postgresql/timezone/Asia/Vientiane %%TZDATA%%share/postgresql/timezone/Asia/Vladivostok %%TZDATA%%share/postgresql/timezone/Asia/Yakutsk @@ -565,6 +568,7 @@ share/postgresql/snowball_create.sql %%TZDATA%%share/postgresql/timezone/Europe/Brussels %%TZDATA%%share/postgresql/timezone/Europe/Bucharest %%TZDATA%%share/postgresql/timezone/Europe/Budapest +%%TZDATA%%share/postgresql/timezone/Europe/Busingen %%TZDATA%%share/postgresql/timezone/Europe/Chisinau %%TZDATA%%share/postgresql/timezone/Europe/Copenhagen %%TZDATA%%share/postgresql/timezone/Europe/Dublin Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Apr 4 13:08:21 2013 (r315717) +++ head/security/vuxml/vuln.xml Thu Apr 4 13:21:22 2013 (r315718) @@ -51,6 +51,63 @@ Note: Please add new entries to the beg --> + + PostgreSQL -- anonymous remote access data corruption vulnerability + + + postgresql-server + 8.3.08.3.21_1 + 8.4.08.4.17 + 9.0.09.0.13 + 9.1.09.1.9 + 9.2.09.2.4 + + + + +

PostgreSQL project reports:

+
+

+ The PostgreSQL Global Development Group has released a security + update to all current versions of the PostgreSQL database system, + including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update + fixes a high-exposure security vulnerability in versions 9.0 and + later. All users of the affected versions are strongly urged to apply + the update *immediately*. +

+

+ A major security issue (for versions 9.x only) fixed in this release, + [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899), + makes it possible for a connection request containing a database name + that begins with "-" to be crafted that can damage or destroy files + within a server's data directory. Anyone with access to the port the + PostgreSQL server listens on can initiate this request. This issue was + discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source + Software Center. +

+

+ Two lesser security fixes are also included in this release: + [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900), + wherein random numbers generated by contrib/pgcrypto functions may be + easy for another database user to guess (all versions), and + [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901), + which mistakenly allows an unprivileged user to run commands that + could interfere with in-progress backups (for versions 9.x only). +

+
+ + + + CVE-2013-1899 + CVE-2013-1900 + CVE-2013-1901 + + + 2013-04-04 + 2013-04-04 + + + mozilla -- multiple vulnerabilities