Path to this page:
Subject: CVS commit: [pkgsrc-2021Q3] pkgsrc/databases
From: Thomas Merkel
Date: 2021-11-24 15:31:21
Message id: 20211124143121.72CB8FAEC@cvs.NetBSD.org
Log Message:
Pullup ticket #6535 - requested by bsiegert
databases/postgresql: security fix
Revisions pulled up:
- databases/postgresql10-docs/PLIST 1.20
- databases/postgresql10-server/PLIST 1.10
- databases/postgresql10/Makefile 1.27
- databases/postgresql10/Makefile.common 1.31
- databases/postgresql10/distinfo 1.25
- databases/postgresql11-docs/PLIST 1.15
- databases/postgresql11-server/PLIST 1.5
- databases/postgresql11/Makefile.common 1.24
- databases/postgresql11/distinfo 1.20
- databases/postgresql12-docs/PLIST 1.10
- databases/postgresql12-server/PLIST 1.6
- databases/postgresql12/Makefile 1.18
- databases/postgresql12/Makefile.common 1.17
- databases/postgresql12/distinfo 1.14
- databases/postgresql13-client/PLIST 1.5
- databases/postgresql13-docs/PLIST 1.6
- databases/postgresql13-server/PLIST 1.4
- databases/postgresql13/Makefile 1.9
- databases/postgresql13/Makefile.common 1.10
- databases/postgresql13/distinfo 1.10
- databases/postgresql96-docs/PLIST 1.24
- databases/postgresql96-server/PLIST 1.9
- databases/postgresql96/Makefile 1.16
- databases/postgresql96/Makefile.common 1.36
- databases/postgresql96/distinfo 1.29
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Nov 16 10:14:39 UTC 2021
Modified Files:
pkgsrc/databases/postgresql10: Makefile.common distinfo
pkgsrc/databases/postgresql10-docs: PLIST
pkgsrc/databases/postgresql10-server: PLIST
pkgsrc/databases/postgresql11: Makefile.common distinfo
pkgsrc/databases/postgresql11-docs: PLIST
pkgsrc/databases/postgresql11-server: PLIST
pkgsrc/databases/postgresql12: Makefile.common distinfo
pkgsrc/databases/postgresql12-docs: PLIST
pkgsrc/databases/postgresql12-server: PLIST
pkgsrc/databases/postgresql13: Makefile.common distinfo
pkgsrc/databases/postgresql13-client: PLIST
pkgsrc/databases/postgresql13-docs: PLIST
pkgsrc/databases/postgresql13-server: PLIST
pkgsrc/databases/postgresql96: Makefile.common distinfo
pkgsrc/databases/postgresql96-docs: PLIST
pkgsrc/databases/postgresql96-server: PLIST
Log Message:
postgresql: updated to 13.5, 12.9, 11.14, 10.19, 9.6.24
PostgreSQL 13.5, 12.9, 11.14, 10.19, and 9.6.24
Security Issues
CVE-2021-23214: Server processes unencrypted bytes from man-in-the-middle
Versions Affected: 9.6 - 14. The security team typically does not test
unsupported versions, but this problem is quite old.
When the server is configured to use trust authentication with a
clientcert requirement or to use cert authentication, a
man-in-the-middle attacker can inject arbitrary SQL queries when a
connection is first established, despite the use of SSL certificate
verification and encryption.
The PostgreSQL project thanks Jacob Champion for reporting this problem.
CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle
Versions Affected: 9.6 - 14. The security team typically does not test
unsupported versions, but this problem is quite old.
A man-in-the-middle attacker can inject false responses to the
client's first few queries, despite the use of SSL certificate
verification and encryption.
If more preconditions hold, the attacker can exfiltrate the client's
password or other confidential data that might be transmitted early in
a session. The attacker must have a way to trick the client's intended
server into making the confidential data accessible to the attacker. A
known implementation having that property is a PostgreSQL
configuration vulnerable to CVE-2021-23214.
As with any exploitation of CVE-2021-23214, the server must be using
trust authentication with a clientcert requirement or using cert
authentication. To disclose a password, the client must be in
possession of a password, which is atypical when using an
authentication configuration vulnerable to CVE-2021-23214. The
attacker must have some other way to access the server to retrieve the
exfiltrated data (a valid, unprivileged login account would be
sufficient).
The PostgreSQL project thanks Jacob Champion for reporting this problem.
Bug Fixes and Improvements
This update fixes over 40 bugs that were reported in the last several
months. The issues listed below affect PostgreSQL 14. Some of these
issues may also affect other supported versions of PostgreSQL.
Some of these fixes include:
Fix physical replication for cases where the primary crashes after
shipping a WAL segment that ends with a partial WAL record. When
applying this update, update your standby servers before the primary
so that they will be ready to handle the fix if the primary happens to
crash.
Fix parallel VACUUM so that it will process indexes below the
min_parallel_index_scan_size threshold if the table has at least two
indexes that are above that size. This problem does not affect
autovacuum. If you are affected by this issue, you should reindex any
manually-vacuumed tables.
Fix causes of CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY
writing corrupt indexes. You should reindex any concurrently-built
indexes.
Fix for attaching/detaching a partition that could allow certain
INSERT/UPDATE queries to misbehave in active sessions.
Fix for creating a new range type with CREATE TYPE that could cause
problems for later event triggers or subsequent executions of the
CREATE TYPE command.
Fix updates of element fields in arrays of a domain that is a part of
a composite.
Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED.
Fix corner-case loss of precision in the numeric power() function.
Fix restoration of a Portal's snapshot inside a subtransaction, which
could lead to a crash. For example, this could occur in PL/pgSQL when
a COMMIT is immediately followed by a BEGIN ... EXCEPTION block that
performs a query.
Clean up correctly if a transaction fails after exporting its
snapshot. This could occur if a replication slot was created then
rolled back, and then another replication slot was created in the same
session.
Fix for "overflowed-subtransaction" wraparound tracking on standby
servers that could lead to performance degradation.
Ensure that prepared transactions are properly accounted for during
promotion of a standby server.
Ensure that the correct lock level is used when renaming a table.
Avoid crash when dropping a role that owns objects being dropped concurrently.
Disallow setting huge_pages to on when shared_memory_type is sysv
Fix query type checking in the PL/pgSQL RETURN QUERY.
Several fixes for pg_dump, including the ability to dump non-global
default privileges correctly.
Use the CLDR project's data to map Windows time zone names to IANA time zones.
This update also contains tzdata release 2021e for DST law changes in
Fiji, Jordan, Palestine, and Samoa, plus historical corrections for
Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton.
Also, the following zones have been merged into nearby, more-populous
zones whose clocks have agreed with them since 1970: Africa/Accra,
America/Atikokan, America/Blanc-Sablon, America/Creston,
America/Curacao, America/Nassau, America/Port_of_Spain,
Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases,
the previous zone name remains as an alias.
---
Module Name: pkgsrc
Committed By: adam
Date: Tue Nov 16 10:17:40 UTC 2021
Modified Files:
pkgsrc/databases/postgresql10: Makefile
pkgsrc/databases/postgresql12: Makefile
pkgsrc/databases/postgresql13: Makefile
pkgsrc/databases/postgresql96: Makefile
Log Message:
postgresqlNN: reset revision
Files: