From owner-freebsd-questions@FreeBSD.ORG Fri Apr 13 13:30:42 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D218106566C; Fri, 13 Apr 2012 13:30:42 +0000 (UTC) (envelope-from amitabhkant@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id E65B78FC1B; Fri, 13 Apr 2012 13:30:41 +0000 (UTC) Received: by yenl9 with SMTP id l9so1959426yen.13 for ; Fri, 13 Apr 2012 06:30:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=RcROOAfA+GBtYWjvc0PwRZ2lqJzrkURq44xbGY1dRz4=; b=Duyl5oC2HdmvwowF5mCR6BFi1Ici/oOzjXbsVTIcpyVHo1GyPuWAGrPb0v/HgCNqV4 lt7EyMZu4zFbCRF5e3s2vaadljs+W0QBFWFvJDkCznQuaGFQIlXdE+8LJHQhpLfeVG9b JNmbGbT6JCkwrseupgU765Ju+Fvf2wJTp6dhf6PoNfTmeYPwy3NvaAfuSJZTRB05wHBt 10/EuPgOdCSdpDL0cyiGwC4WJ/LV8bi7Bh+LVVzLsa93lPKlDWPvR8qg61ylPOOkjVnK r4AWDzcZgrmI/IZHBYmF6HVAsq3h5XduYUZuKZHYxQati0p3WBn36s2w0TPNurEFHY8B n3Cw== Received: by 10.236.190.2 with SMTP id d2mr1566318yhn.48.1334323841265; Fri, 13 Apr 2012 06:30:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.146.197.14 with HTTP; Fri, 13 Apr 2012 06:30:19 -0700 (PDT) In-Reply-To: <4F881808.9080007@FreeBSD.org> References: <4F881808.9080007@FreeBSD.org> From: Amitabh Kant Date: Fri, 13 Apr 2012 19:00:19 +0530 Message-ID: To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Carmel , FreeBSD Subject: Re: How to handle postgresql82-client vulnerability X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 13:30:42 -0000 On Fri, Apr 13, 2012 at 5:41 PM, Matthew Seaman wrote: > On 13/04/2012 12:23, Carmel wrote: > > I am working on an older machine that has "postgresql-client-8.2.23" > > installed. I have the following information regarding the program: > > > > $ pkg_info -R postgresql-client-8.2.23 > > Information for postgresql-client-8.2.23: > > > > Required by: > > koffice-kde4-2.3.3_7 > > postgresql-libpqxx-3.0.2 > > > > Attempting to build the program produces this error: > > > > ===> postgresql-client-8.2.23 is forbidden: Vulnerable > http://www.postgresql.org/about/news/1377/. > > *** Error code 1 > > > > Stop in /usr/ports/databases/postgresql82-client. > > postgresql-8.2 is out of support upstream. It's only still in the ports > because no one has realised it's past its expiry date and removed it yet. > > Given the unfixed security problems, you should upgrade to a newer > version ASAP. > > > I cannot find anything in the UPDATING or MOVED files that details how > > to deal with this. Would something like: > > > > portupgrade -o databases/postgresql90-client postgresql82-client > > > > be the proper way to handle this problem? Would I then have to rebuild > > koffice-kde4-2.3.3_7 and postgresql-libpqxx-3.0.2 to insure that > everything works correctly? > > Correct, as far as dealing with the ports goes. Yes, you will have to > recompile anything that links against libpq.so.X, which is probably more > than shows up in the output of 'pkg_info -R' -- you can use the lib_chk > script from bsdadminscripts to find everything that needs to be rebuilt. > Or just 'portmaster -r databases/postgresql90-client' > > However, there is no guarantee that you can just start up postgresql90 > and expect it to work with the postgresql82 data directory. (Although > why not postgresql91 rather than 90? There's no good reason not to use > the latest release.) > > As the ports don't support installing several versions of postgresql > simultaneously, or encode the postgres version into the PGDATA path > (which is a fairly standard approach on various other unixoid > environments) you won't be able to use pg_upgrade easily. > > Given that in-place updates are not feasible, you should dump the > contents of your database cluster and then reload it into a newly > created cluster using the latest version. The PG documentation > recommends using the client from the version you are updating to for > creating the dumps, or else they may not reload cleanly. In fact, there > are changes between 8.x and 9.0 to do with the encoding of non-ascii > character data which are quite likely to cause difficulties for you. > Note that you can install an updated client on a different box and dump > remotely as a relatively simple way of using a new client to access an > older DB. > > Ideally you should create a brand new DB cluster on a separate system, > so you can have as many goes at pulling the data over from your original > database as you need to get it right without destroying the originals. > If you lack the resources to do that, then better make sure you've got > good backups. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey > > You will have to perform a dump & restore to move from 8.2.x to 9.0.x (might as well move up to 9.1.x). The data directory compatibility is not guaranteed across major version. Amitabh