FreeBSD ports tree https://cgit-dev.freebsd.org/ports/atom?h=2016Q3 2016-08-24T14:30:47Z 2016-08-24T14:30:47Z Mark Felder feld@FreeBSD.org 2016-08-24T14:30:47Z urn:sha1:29de818549a8b4350d60c0a7176c4129fe47d6f8 The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.5.4, 9.4.9, 9.3.14, 9.2.18 and 9.1.23. This release fixes two security issues. It also patches a number of other bugs reported over the last three months. Users who rely on security isolation between database users should update as soon as possible. Other users should plan to update at the next convenient downtime. If you are using the ICU patch, please consult UPDATING. Improve periodic cleanup, suggested by claudius (at) ambtec.de. [1] PR: 210941 [1] Security: CVE-2016-5423, CVE-2016-5424 Approved by: ports-secteam (with hat) 2016-06-17T23:28:04Z Mathieu Arnold mat@FreeBSD.org 2016-06-17T23:28:04Z urn:sha1:1a8a092d9fefcbd7f960c82c59802c61807867a6 While there, run make makepatch on affected ports, and rename patches accordingly. Sponsored by: Absolight 2016-05-19T11:09:14Z Dmitry Marakasov amdmi3@FreeBSD.org 2016-05-19T11:09:14Z urn:sha1:e87a8bd319cefd3a75d9d061fe9ac6bad980b0db Approved by: portmgr blanket 2016-05-12T22:36:10Z Palle Girgensohn girgen@FreeBSD.org 2016-05-12T22:36:10Z urn:sha1:71b54620678ff776dc658f03ada695403280ce37 URL: http://www.postgresql.org/docs/9.5/static/release-9-5-3.html 2016-03-31T14:46:39Z Palle Girgensohn girgen@FreeBSD.org 2016-03-31T14:46:39Z urn:sha1:4eb290d68e1808c543ee31a95a691ed9b4eb0b64 Security Fixes for RLS, BRIN ---------------------------- This release closes security hole CVE-2016-2193 (https://access.redhat.com/security/cve/CVE-2016-2193), where a query plan might get reused for more than one ROLE in the same session. This could cause the wrong set of Row Level Security (RLS) policies to be used for the query. The update also fixes CVE-2016-3065 (https://access.redhat.com/security/cve/CVE-2016-3065), a server crash bug triggered by using `pageinspect` with BRIN index pages. Since an attacker might be able to expose a few bytes of server memory, this crash is being treated as a security issue. Abbreviated Keys and Corrupt Indexes ------------------------------------ In this release, the PostgreSQL Project has been forced to disable 9.5's Abbreviated Keys performance feature for many indexes due to reports of index corruption. This may affect any B-tree indexes on TEXT, VARCHAR, and CHAR columns which are not in "C" locale. Indexes in other locales will lose the performance benefits of the feature, and should be REINDEXed in case of existing index corruption. The feature may be re-enabled in future versions if the project finds a solution for the problem. See the release notes, and the wiki page on this issue for more information: http://wiki.postgresql.org/abbreviatedkeys_issue URL: http://www.postgresql.org/about/news/1656/ URL: http://wiki.postgresql.org/abbreviatedkeys_issue Security: CVE-2016-2193 Security: CVE-2016-3065 2016-02-13T22:42:04Z Palle Girgensohn girgen@FreeBSD.org 2016-02-13T22:42:04Z urn:sha1:70a06c4f2e2e669f6795dcec5165c0ea83f94e3b Security Fixes for Regular Expressions, PL/Java This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input. The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser URL: http://www.postgresql.org/about/news/1644/ Security: CVE-2016-0773, CVE-2016-0766 2016-01-30T10:40:33Z Palle Girgensohn girgen@FreeBSD.org 2016-01-30T10:40:33Z urn:sha1:decd47b3e932bda471af3348b2a0285a5d6e5f77 Pointed out by: Nat Howard PR: 206750 2016-01-13T10:36:22Z Palle Girgensohn girgen@FreeBSD.org 2016-01-13T10:36:22Z urn:sha1:a9c901ec2bd7061cb5a9f38c4aa1b4608c00cf1f pg_upgrade. Other where added in 9.5, but the port failed to install them. Make sure they are properly installed by the correct port (-client or -server) [1] Remove unused and hence confusing OSSP_UUID parameters from Makefile [2] Add options to allow user to be set for the backup script in periodic. Add this option only to 9.5 for now. It will be updated to other servers at next regular patch release. [3] The path to perl in hard coded into pgxs/src/Makefile.global which is then installed. Hence, we must depend on perl when that file is installed. Noticed by: Paul Guyot [1] PR: 192387 [2] PR: 172110 [3] PR: 206046 [4] 2016-01-07T21:37:58Z Antoine Brodin antoine@FreeBSD.org 2016-01-07T21:37:58Z urn:sha1:ac2bef6825ff4dedb6ffe6bf41dd87d36ca14f14 While here, fix plist 2016-01-07T19:58:47Z Palle Girgensohn girgen@FreeBSD.org 2016-01-07T19:58:47Z urn:sha1:433061043695cb1661743d544689f34e707dd530 release of PostgreSQL 9.5. This release adds UPSERT capability, Row Level Security, and multiple Big Data features, which will broaden the user base for the world's most advanced database. With these new capabilities, PostgreSQL will be the best choice for even more applications for startups, large corporations, and government agencies. Release Notes: http://www.postgresql.org/docs/current/static/release-9-5.html What's New in 9.5: https://wiki.postgresql.org/wiki/What%27s_new_in_PostgreSQL_9.5