The PostgreSQL Global Development Group has released a security

update to all current versions of the PostgreSQL database system, including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security vulnerability in versions 9.0 and later. All users of the affected versions are strongly urged to apply the update *immediately*. A major security issue (for versions 9.x only) fixed in this release, [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899), makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center. Two lesser security fixes are also included in this release: [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900), wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess (all versions), and [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901), which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups (for versions 9.x only). Approved by: portmgr (bdrewery) URL: http://www.postgresql.org/about/news/1456/ Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899 Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900 Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901
svn path=/head/; revision=315718
2025-07-17 17:29:23 -04:00 · 2013-04-04 13:21:22 +00:00 · 2013-04-04 13:21:22 +00:00 · 7f4822d46a · 2021-03-31 03:12:20 +00:00
commit 7f4822d46a
parent cbdcb47c0b
16 changed files with 109 additions and 15 deletions
--- a/databases/postgresql83-client/Makefile
+++ b/databases/postgresql83-client/Makefile
@ -8,8 +8,9 @@
 # See Mk/bsd.databases.mk for more info

 PORTNAME=	postgresql
+PORTREVISION=	0
+PORTEPOCH=	1
 PKGNAMESUFFIX=	-client
-PORTEPOCH=	 1	

 COMMENT=	PostgreSQL database (client)

--- a/databases/postgresql83-contrib/Makefile
+++ b/databases/postgresql83-contrib/Makefile
@ -2,6 +2,7 @@
 # $FreeBSD$

 PORTNAME=	postgresql
+PORTREVISION=	0
 PKGNAMESUFFIX=	-contrib
 CATEGORIES=	databases

--- a/databases/postgresql83-server/Makefile
+++ b/databases/postgresql83-server/Makefile
@ -6,7 +6,7 @@
 #

 DISTVERSION?=	8.3.23
-PORTREVISION?=	0
+PORTREVISION?=	1
 PKGNAMESUFFIX?=	-server

 MAINTAINER?=	pgsql@FreeBSD.org
--- a/databases/postgresql83-server/files/patch-ssl-init-state
+++ b/databases/postgresql83-server/files/patch-ssl-init-state
@ -0,0 +1,25 @@
+--- src/backend/postmaster/fork_process.c.orig	2013-02-04 22:29:07.000000000 +0100
+++ src/backend/postmaster/fork_process.c	2013-04-02 12:57:18.489126586 +0200
+@@ -15,6 +15,9 @@
+ #include <time.h>
+ #include <sys/time.h>
+ #include <unistd.h>
+#ifdef USE_SSL
+#include <openssl/rand.h>
+#endif
+ 
+ #ifndef WIN32
+ /*
+@@ -60,6 +63,12 @@
+ 		setitimer(ITIMER_PROF, &prof_itimer, NULL);
+ #endif
+ 
+		/*
+		 * Make sure processes do not share OpenSSL randomness state.
+		 */
+#ifdef USE_SSL
+		RAND_cleanup();
+#endif
+ 	}
+ 
+ 	return result;
--- a/databases/postgresql84-server/Makefile
+++ b/databases/postgresql84-server/Makefile
@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME?=	postgresql
-DISTVERSION?=	8.4.16
+DISTVERSION?=	8.4.17
 PORTREVISION?=	0
 CATEGORIES?=	databases
 MASTER_SITES=	PGSQL
--- a/databases/postgresql84-server/distinfo
+++ b/databases/postgresql84-server/distinfo
@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-8.4.16.tar.bz2) = 8d03d94d3957019227066f427ccb11232a823f2558e2f57e1ea2bc9ba004612f
-SIZE (postgresql/postgresql-8.4.16.tar.bz2) = 14784029
+SHA256 (postgresql/postgresql-8.4.17.tar.bz2) = dc884c34ec3535d9f8b579155948a703def0574aca47292b97b82a8189cd0436
+SIZE (postgresql/postgresql-8.4.17.tar.bz2) = 14795028
 SHA256 (postgresql/pg-840-icu-2009-09-15.diff.gz) = c09d3b59340a3bb6ea754e985739d4fbb47f730d1e48a357c5585825034fc72e
 SIZE (postgresql/pg-840-icu-2009-09-15.diff.gz) = 4321
--- a/databases/postgresql90-server/Makefile
+++ b/databases/postgresql90-server/Makefile
@ -5,7 +5,7 @@
 # $FreeBSD$
 #

-DISTVERSION?=	9.0.12
+DISTVERSION?=	9.0.13
 PORTREVISION=	0
 PKGNAMESUFFIX?=	-server

--- a/databases/postgresql90-server/distinfo
+++ b/databases/postgresql90-server/distinfo
@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.0.12.tar.bz2) = 80f06873cbdc8789abe6806dc52a708d9a7f4ac5432ffea4c069cbc33b2b1524
-SIZE (postgresql/postgresql-9.0.12.tar.bz2) = 15122949
+SHA256 (postgresql/postgresql-9.0.13.tar.bz2) = 51aea4d099defaee307ec3b9900837446931d1aa0c6717070fa25ed033af9977
+SIZE (postgresql/postgresql-9.0.13.tar.bz2) = 15139873
 SHA256 (postgresql/pg-900-icu-2010-09-19.diff.gz) = 27cea46241ec814965c278330cd96f67ee03422b7758a210713a63b4b5bb77e9
 SIZE (postgresql/pg-900-icu-2010-09-19.diff.gz) = 4349
--- a/databases/postgresql90-server/pkg-plist-server
+++ b/databases/postgresql90-server/pkg-plist-server
@ -410,6 +410,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Asia/Kashgar
 %%TZDATA%%share/postgresql/timezone/Asia/Kathmandu
 %%TZDATA%%share/postgresql/timezone/Asia/Katmandu
+%%TZDATA%%share/postgresql/timezone/Asia/Khandyga
 %%TZDATA%%share/postgresql/timezone/Asia/Kolkata
 %%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk
 %%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur
@ -454,6 +455,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar
 %%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator
 %%TZDATA%%share/postgresql/timezone/Asia/Urumqi
+%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera
 %%TZDATA%%share/postgresql/timezone/Asia/Vientiane
 %%TZDATA%%share/postgresql/timezone/Asia/Vladivostok
 %%TZDATA%%share/postgresql/timezone/Asia/Yakutsk
@ -562,6 +564,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Europe/Brussels
 %%TZDATA%%share/postgresql/timezone/Europe/Bucharest
 %%TZDATA%%share/postgresql/timezone/Europe/Budapest
+%%TZDATA%%share/postgresql/timezone/Europe/Busingen
 %%TZDATA%%share/postgresql/timezone/Europe/Chisinau
 %%TZDATA%%share/postgresql/timezone/Europe/Copenhagen
 %%TZDATA%%share/postgresql/timezone/Europe/Dublin
--- a/databases/postgresql91-server/Makefile
+++ b/databases/postgresql91-server/Makefile
@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME?=	postgresql
-DISTVERSION?=	9.1.8
+DISTVERSION?=	9.1.9
 PORTREVISION?=	0
 CATEGORIES?=	databases
 MASTER_SITES=	PGSQL
--- a/databases/postgresql91-server/distinfo
+++ b/databases/postgresql91-server/distinfo
@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.1.8.tar.bz2) = 1d88f9dda24062dbfcc09aca9a316981f2aa93322613b853cf32d7a431b44c6d
-SIZE (postgresql/postgresql-9.1.8.tar.bz2) = 15815313
+SHA256 (postgresql/postgresql-9.1.9.tar.bz2) = 28a533e181009308722e8b3c51f1ea7224ab910c380ac1a86f07118667602dd8
+SIZE (postgresql/postgresql-9.1.9.tar.bz2) = 15815421
 SHA256 (postgresql/pg-910-icu-2012-12-19.diff.gz) = 61ef9c9b55b63b63b0fb108dfef086f92e9c43b5bd934fab9639b31f91193611
 SIZE (postgresql/pg-910-icu-2012-12-19.diff.gz) = 4386
--- a/databases/postgresql91-server/pkg-plist-server
+++ b/databases/postgresql91-server/pkg-plist-server
@ -417,6 +417,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Asia/Kashgar
 %%TZDATA%%share/postgresql/timezone/Asia/Kathmandu
 %%TZDATA%%share/postgresql/timezone/Asia/Katmandu
+%%TZDATA%%share/postgresql/timezone/Asia/Khandyga
 %%TZDATA%%share/postgresql/timezone/Asia/Kolkata
 %%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk
 %%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur
@ -461,6 +462,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar
 %%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator
 %%TZDATA%%share/postgresql/timezone/Asia/Urumqi
+%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera
 %%TZDATA%%share/postgresql/timezone/Asia/Vientiane
 %%TZDATA%%share/postgresql/timezone/Asia/Vladivostok
 %%TZDATA%%share/postgresql/timezone/Asia/Yakutsk
@ -569,6 +571,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Europe/Brussels
 %%TZDATA%%share/postgresql/timezone/Europe/Bucharest
 %%TZDATA%%share/postgresql/timezone/Europe/Budapest
+%%TZDATA%%share/postgresql/timezone/Europe/Busingen
 %%TZDATA%%share/postgresql/timezone/Europe/Chisinau
 %%TZDATA%%share/postgresql/timezone/Europe/Copenhagen
 %%TZDATA%%share/postgresql/timezone/Europe/Dublin
--- a/databases/postgresql92-server/Makefile
+++ b/databases/postgresql92-server/Makefile
@ -2,11 +2,11 @@
 # $FreeBSD$

 PORTNAME?=	postgresql
-DISTVERSION?=	9.2.3
+DISTVERSION?=	9.2.4
 PORTREVISION?=	0
 CATEGORIES?=	databases
 MASTER_SITES=	PGSQL
-MASTER_SITE_SUBDIR=	source/v${DISTVERSION:S,beta,.0&,}
+MASTER_SITE_SUBDIR=	source/v${DISTVERSION}
 PKGNAMESUFFIX?=	-server

 MAINTAINER?=	pgsql@FreeBSD.org
--- a/databases/postgresql92-server/distinfo
+++ b/databases/postgresql92-server/distinfo
@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.2.3.tar.bz2) = c4f5a63290c0c32d8d9899edee8188d0c8ab124a7199b154fac75e62eec35f7f
-SIZE (postgresql/postgresql-9.2.3.tar.bz2) = 16371616
+SHA256 (postgresql/postgresql-9.2.4.tar.bz2) = d97dd918a88a4449225998f46aafa85216a3f89163a3411830d6890507ffae93
+SIZE (postgresql/postgresql-9.2.4.tar.bz2) = 16395184
 SHA256 (postgresql/pg-910-icu-2012-12-19.diff.gz) = 61ef9c9b55b63b63b0fb108dfef086f92e9c43b5bd934fab9639b31f91193611
 SIZE (postgresql/pg-910-icu-2012-12-19.diff.gz) = 4386
--- a/databases/postgresql92-server/pkg-plist-server
+++ b/databases/postgresql92-server/pkg-plist-server
@ -122,6 +122,7 @@ share/postgresql/extension/plpgsql.control
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/plpgsql-9.2.mo
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/postgres-9.2.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/initdb-9.2.mo
+%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_ctl-9.2.mo
 %%GETTEXT%%share/locale/tr/LC_MESSAGES/initdb-9.2.mo
 %%GETTEXT%%share/locale/tr/LC_MESSAGES/pg_controldata-9.2.mo
 %%GETTEXT%%share/locale/tr/LC_MESSAGES/pg_resetxlog-9.2.mo
@ -413,6 +414,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Asia/Kashgar
 %%TZDATA%%share/postgresql/timezone/Asia/Kathmandu
 %%TZDATA%%share/postgresql/timezone/Asia/Katmandu
+%%TZDATA%%share/postgresql/timezone/Asia/Khandyga
 %%TZDATA%%share/postgresql/timezone/Asia/Kolkata
 %%TZDATA%%share/postgresql/timezone/Asia/Krasnoyarsk
 %%TZDATA%%share/postgresql/timezone/Asia/Kuala_Lumpur
@ -457,6 +459,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Asia/Ulaanbaatar
 %%TZDATA%%share/postgresql/timezone/Asia/Ulan_Bator
 %%TZDATA%%share/postgresql/timezone/Asia/Urumqi
+%%TZDATA%%share/postgresql/timezone/Asia/Ust-Nera
 %%TZDATA%%share/postgresql/timezone/Asia/Vientiane
 %%TZDATA%%share/postgresql/timezone/Asia/Vladivostok
 %%TZDATA%%share/postgresql/timezone/Asia/Yakutsk
@ -565,6 +568,7 @@ share/postgresql/snowball_create.sql
 %%TZDATA%%share/postgresql/timezone/Europe/Brussels
 %%TZDATA%%share/postgresql/timezone/Europe/Bucharest
 %%TZDATA%%share/postgresql/timezone/Europe/Budapest
+%%TZDATA%%share/postgresql/timezone/Europe/Busingen
 %%TZDATA%%share/postgresql/timezone/Europe/Chisinau
 %%TZDATA%%share/postgresql/timezone/Europe/Copenhagen
 %%TZDATA%%share/postgresql/timezone/Europe/Dublin
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -51,6 +51,63 @@ Note:  Please add new entries to the beginning of this file.

 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="3f332f16-9b6b-11e2-8fe9-08002798f6ff">
+    <topic>PostgreSQL -- anonymous remote access data corruption vulnerability</topic>
+    <affects>
+      <package>
+	<name>postgresql-server</name>
+	<range><ge>8.3.0</ge><lt>8.3.21_1</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.17</lt></range>
+	<range><ge>9.0.0</ge><lt>9.0.13</lt></range>
+	<range><ge>9.1.0</ge><lt>9.1.9</lt></range>
+	<range><ge>9.2.0</ge><lt>9.2.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>PostgreSQL project reports:</p>
+	<blockquote cite="http://www.postgresql.org/about/news/1456/">
+	  <p>
+	   The PostgreSQL Global Development Group has released a security
+	   update to all current versions of the PostgreSQL database system,
+	   including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
+	   fixes a high-exposure security vulnerability in versions 9.0 and
+	   later. All users of the affected versions are strongly urged to apply
+	   the update *immediately*.
+	  </p>
+	  <p>
+	   A major security issue (for versions 9.x only) fixed in this release,
+	   [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
+	   makes it possible for a connection request containing a database name
+	   that begins with "-" to be crafted that can damage or destroy files
+	   within a server's data directory. Anyone with access to the port the
+	   PostgreSQL server listens on can initiate this request. This issue was
+	   discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
+	   Software Center.
+	  </p>
+	  <p>
+	   Two lesser security fixes are also included in this release:
+	   [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
+	   wherein random numbers generated by contrib/pgcrypto functions may be
+	   easy for another database user to guess (all versions), and
+	   [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
+	   which mistakenly allows an unprivileged user to run commands that
+	   could interfere with in-progress backups (for versions 9.x only).
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1899</cvename>
+      <cvename>CVE-2013-1900</cvename>
+      <cvename>CVE-2013-1901</cvename>
+    </references>
+    <dates>
+      <discovery>2013-04-04</discovery>
+      <entry>2013-04-04</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="94976433-9c74-11e2-a9fc-d43d7e0c7c02">
    <topic>mozilla -- multiple vulnerabilities</topic>
    <affects>