Path to this page:
Subject: CVS commit: pkgsrc/databases
From: Adam Ciarcinski
Date: 2023-02-15 21:51:02
Message id: 20230215205102.D55B5FA90@cvs.NetBSD.org
Log Message:
postgresql: updated to 15.2, 14.7, 13.10, 12.14, and 11.19
Security Issues
CVE-2022-41862: Client memory disclosure when connecting, with Kerberos, to \
modified server.
Versions Affected: 12 - 15.
A modified, unauthenticated server or an unauthenticated man-in-the-middle can \
send an unterminated string during the establishment of Kerberos transport \
encryption. When a libpq client application has a Kerberos credential cache and \
doesn't explicitly disable option gssencmode, a server can cause libpq to \
over-read and report an error message containing uninitialized bytes from and \
following its receive buffer. If libpq's caller somehow makes that message \
accessible to the attacker, this achieves a disclosure of the over-read bytes. \
We have not confirmed or ruled out viability of attacks that arrange for a crash \
or for presence of notable, confidential information in disclosed bytes.
The PostgreSQL project thanks Jacob Champion for reporting this problem.
Bug Fixes and Improvements
This update fixes over 60 bugs that were reported in the last several months. \
The issues listed below affect PostgreSQL 15. Some of these issues may also \
affect other supported versions of PostgreSQL.
Included in this release:
Fix for partitioned tables to correctly update GENERATED columns in child tables \
if the GENERATED column does not exist in the parent table or the child \
generated column has different dependencies than the parent.
Several fixes for the MERGE command.
Allow a WITH RECURSIVE ... CYCLE query to access its SET output column.
Fix an issue with bulk insertions on foreign tables that could lead to logical \
inconsistencies, for example, a BEFORE ROW trigger may not process rows that \
should be available.
Reject uses of undefined variables in jsonpath existence checks.
Fix for jsonb subscripting that come directly from a text column in a table.
Honor updated values of checkpoint_completion_target on reload.
Log the correct ending timestamp in recovery_target_xid mode.
Fix issue to allow column lists longer than 100 when using logical replication.
Prevent "wrong tuple length" failure at the end of VACUUM.
Avoid an immediate commit after ANALYZE when using query pipelining.
Several fixes to the query planner, including one that provides more \
opportunities for using memoization with partitionwise joins.
Fix for statistics collection to correctly handle when a relation changes type \
(e.g. a table is converted to a view).
Ensure full text search queries can be cancelled while performing phrase matches.
Fix deadlock between DROP DATABASE and logical replication worker process.
Fix small session-lifespan memory leak when CREATE SUBSCRIPTION fails its \
connection attempt.
Performance improvement for replicas with hot_standby enabled that are \
processing SELECT queries.
Several fixes for logical decoding that improve its stability and bloat handling.
Fix the default logical replication plug-in, pgoutput, to not send columns that \
are not listed in a table's replication column list.
Fix possible corruption of very large tablespace map files in pg_basebackup.
Remove a harmless warning from pg_dump in --if-exists mode when the public \
schema has a non-default owner.
Fix the psql commands \sf and \ef to handle SQL-language functions that have \
SQL-standard function bodies (i.e. BEGIN ATOMIC).
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA.
Update the pageinspect extension to mark its disk-accessing functions as \
PARALLEL RESTRICTED.
Fix the seg extension to not crash or print garbage if an input number has more \
than 127 digits.
Files: