Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/databases
From: Thomas Merkel
Date: 2021-11-24 15:31:21
Message id: 20211124143121.72CB8FAEC@cvs.NetBSD.org

Log Message:
Pullup ticket #6535 - requested by bsiegert
databases/postgresql: security fix

Revisions pulled up:
- databases/postgresql10-docs/PLIST                             1.20
- databases/postgresql10-server/PLIST                           1.10
- databases/postgresql10/Makefile                               1.27
- databases/postgresql10/Makefile.common                        1.31
- databases/postgresql10/distinfo                               1.25
- databases/postgresql11-docs/PLIST                             1.15
- databases/postgresql11-server/PLIST                           1.5
- databases/postgresql11/Makefile.common                        1.24
- databases/postgresql11/distinfo                               1.20
- databases/postgresql12-docs/PLIST                             1.10
- databases/postgresql12-server/PLIST                           1.6
- databases/postgresql12/Makefile                               1.18
- databases/postgresql12/Makefile.common                        1.17
- databases/postgresql12/distinfo                               1.14
- databases/postgresql13-client/PLIST                           1.5
- databases/postgresql13-docs/PLIST                             1.6
- databases/postgresql13-server/PLIST                           1.4
- databases/postgresql13/Makefile                               1.9
- databases/postgresql13/Makefile.common                        1.10
- databases/postgresql13/distinfo                               1.10
- databases/postgresql96-docs/PLIST                             1.24
- databases/postgresql96-server/PLIST                           1.9
- databases/postgresql96/Makefile                               1.16
- databases/postgresql96/Makefile.common                        1.36
- databases/postgresql96/distinfo                               1.29

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Tue Nov 16 10:14:39 UTC 2021

   Modified Files:
           pkgsrc/databases/postgresql10: Makefile.common distinfo
           pkgsrc/databases/postgresql10-docs: PLIST
           pkgsrc/databases/postgresql10-server: PLIST
           pkgsrc/databases/postgresql11: Makefile.common distinfo
           pkgsrc/databases/postgresql11-docs: PLIST
           pkgsrc/databases/postgresql11-server: PLIST
           pkgsrc/databases/postgresql12: Makefile.common distinfo
           pkgsrc/databases/postgresql12-docs: PLIST
           pkgsrc/databases/postgresql12-server: PLIST
           pkgsrc/databases/postgresql13: Makefile.common distinfo
           pkgsrc/databases/postgresql13-client: PLIST
           pkgsrc/databases/postgresql13-docs: PLIST
           pkgsrc/databases/postgresql13-server: PLIST
           pkgsrc/databases/postgresql96: Makefile.common distinfo
           pkgsrc/databases/postgresql96-docs: PLIST
           pkgsrc/databases/postgresql96-server: PLIST

   Log Message:
   postgresql: updated to 13.5, 12.9, 11.14, 10.19, 9.6.24

   PostgreSQL 13.5, 12.9, 11.14, 10.19, and 9.6.24

   Security Issues

   CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle

   Versions Affected: 9.6 - 14. The security team typically does not test
   unsupported versions, but this problem is quite old.

   When the server is configured to use trust authentication with a
   clientcert requirement or to use cert authentication, a
   man-in-the-middle attacker can inject arbitrary SQL queries when a
   connection is first established, despite the use of SSL certificate
   verification and encryption.

   The PostgreSQL project thanks Jacob Champion for reporting this problem.

   CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle

   Versions Affected: 9.6 - 14. The security team typically does not test
   unsupported versions, but this problem is quite old.

   A man-in-the-middle attacker can inject false responses to the
   client's first few queries, despite the use of SSL certificate
   verification and encryption.

   If more preconditions hold, the attacker can exfiltrate the client's
   password or other confidential data that might be transmitted early in
   a session. The attacker must have a way to trick the client's intended
   server into making the confidential data accessible to the attacker. A
   known implementation having that property is a PostgreSQL
   configuration vulnerable to CVE-2021-23214.

   As with any exploitation of CVE-2021-23214, the server must be using
   trust authentication with a clientcert requirement or using cert
   authentication. To disclose a password, the client must be in
   possession of a password, which is atypical when using an
   authentication configuration vulnerable to CVE-2021-23214. The
   attacker must have some other way to access the server to retrieve the
   exfiltrated data (a valid, unprivileged login account would be
   sufficient).

   The PostgreSQL project thanks Jacob Champion for reporting this problem.

   Bug Fixes and Improvements

   This update fixes over 40 bugs that were reported in the last several
   months. The issues listed below affect PostgreSQL 14. Some of these
   issues may also affect other supported versions of PostgreSQL.

   Some of these fixes include:

   Fix physical replication for cases where the primary crashes after
   shipping a WAL segment that ends with a partial WAL record. When
   applying this update, update your standby servers before the primary
   so that they will be ready to handle the fix if the primary happens to
   crash.
   Fix parallel VACUUM so that it will process indexes below the
   min_parallel_index_scan_size threshold if the table has at least two
   indexes that are above that size. This problem does not affect
   autovacuum. If you are affected by this issue, you should reindex any
   manually-vacuumed tables.
   Fix causes of CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY
   writing corrupt indexes. You should reindex any concurrently-built
   indexes.
   Fix for attaching/detaching a partition that could allow certain
   INSERT/UPDATE queries to misbehave in active sessions.
   Fix for creating a new range type with CREATE TYPE that could cause
   problems for later event triggers or subsequent executions of the
   CREATE TYPE command.
   Fix updates of element fields in arrays of a domain that is a part of
   a composite.
   Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED.
   Fix corner-case loss of precision in the numeric power() function.
   Fix restoration of a Portal's snapshot inside a subtransaction, which
   could lead to a crash. For example, this could occur in PL/pgSQL when
   a COMMIT is immediately followed by a BEGIN ... EXCEPTION block that
   performs a query.
   Clean up correctly if a transaction fails after exporting its
   snapshot. This could occur if a replication slot was created then
   rolled back, and then another replication slot was created in the same
   session.
   Fix for "overflowed-subtransaction" wraparound tracking on standby
   servers that could lead to performance degradation.
   Ensure that prepared transactions are properly accounted for during
   promotion of a standby server.
   Ensure that the correct lock level is used when renaming a table.
   Avoid crash when dropping a role that owns objects being dropped concurrently.
   Disallow setting huge_pages to on when shared_memory_type is sysv
   Fix query type checking in the PL/pgSQL RETURN QUERY.
   Several fixes for pg_dump, including the ability to dump non-global
   default privileges correctly.
   Use the CLDR project's data to map Windows time zone names to IANA time zones.
   This update also contains tzdata release 2021e for DST law changes in
   Fiji, Jordan, Palestine, and Samoa, plus historical corrections for
   Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

   Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton.
   Also, the following zones have been merged into nearby, more-populous
   zones whose clocks have agreed with them since 1970: Africa/Accra,
   America/Atikokan, America/Blanc-Sablon, America/Creston,
   America/Curacao, America/Nassau, America/Port_of_Spain,
   Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases,
   the previous zone name remains as an alias.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Tue Nov 16 10:17:40 UTC 2021

   Modified Files:
           pkgsrc/databases/postgresql10: Makefile
           pkgsrc/databases/postgresql12: Makefile
           pkgsrc/databases/postgresql13: Makefile
           pkgsrc/databases/postgresql96: Makefile

   Log Message:
   postgresqlNN: reset revision

Files:
RevisionActionfile
1.30.2.1modifypkgsrc/databases/postgresql10/Makefile.common
1.22.2.1modifypkgsrc/databases/postgresql10/distinfo
1.19.2.1modifypkgsrc/databases/postgresql10-docs/PLIST
1.9.12.1modifypkgsrc/databases/postgresql10-server/PLIST
1.23.2.1modifypkgsrc/databases/postgresql11/Makefile.common
1.17.2.1modifypkgsrc/databases/postgresql11/distinfo
1.14.2.1modifypkgsrc/databases/postgresql11-docs/PLIST
1.4.12.1modifypkgsrc/databases/postgresql11-server/PLIST
1.16.2.1modifypkgsrc/databases/postgresql12/Makefile.common
1.11.2.1modifypkgsrc/databases/postgresql12/distinfo
1.9.2.1modifypkgsrc/databases/postgresql12-docs/PLIST
1.5.10.1modifypkgsrc/databases/postgresql12-server/PLIST
1.9.2.1modifypkgsrc/databases/postgresql13/Makefile.common
1.7.2.1modifypkgsrc/databases/postgresql13/distinfo
1.4.4.1modifypkgsrc/databases/postgresql13-client/PLIST
1.5.2.1modifypkgsrc/databases/postgresql13-docs/PLIST
1.3.4.1modifypkgsrc/databases/postgresql13-server/PLIST
1.35.2.1modifypkgsrc/databases/postgresql96/Makefile.common
1.26.2.1modifypkgsrc/databases/postgresql96/distinfo
1.23.2.1modifypkgsrc/databases/postgresql96-docs/PLIST
1.8.12.1modifypkgsrc/databases/postgresql96-server/PLIST