The PostgreSQL Global Development Group today released security updates for all active branches

of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This
update patches security holes associated with libxml2 and libxslt, similar to those affecting
other open source projects. All users are urged to update their installations at the first
available opportunity.

This security release fixes a vulnerability in the built-in XML functionality, and a vulnerability
in the XSLT functionality supplied by the optional XML2 extension. Both vulnerabilities allow
reading of arbitrary files by any authenticated database user, and the XSLT vulnerability
allows writing files as well. The fixes cause limited backwards compatibility issues.
These issues correspond to the following two vulnerabilities:

CVE-2012-3488: PostgreSQL insecure use of libxslt
CVE-2012-3489: PostgreSQL insecure use of libxml2
This release also contains several fixes to version 9.1, and a smaller number of fixes to older versions, including:

Updates and corrections to time zone data
Multiple documentation updates and corrections
Add limit on max_wal_senders
Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING INDEX.
Correct behavior of unicode conversions for PL/Python
Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT).
Fix syslogger so that log_truncate_on_rotation works in the first rotation.
Only allow autovacuum to be auto-canceled by a directly blocked process.
Improve fsync request queue operation
Prevent corner-case core dump in rfree().
Fix Walsender so that it responds correctly to timeouts and deadlocks
Several PL/Perl fixes for encoding-related issues
Make selectivity operators use the correct collation
Prevent unsuitable slaves from being selected for synchronous replication
Make REASSIGN OWNED work on extensions as well
Fix race condition with ENUM comparisons
Make NOTIFY cope with out-of-disk-space
Fix memory leak in ARRAY subselect queries
Reduce data loss at replication failover
Fix behavior of subtransactions with Hot Standby
This commit is contained in:
Jason Helfman 2012-08-17 19:39:51 +00:00
parent d298a25da9
commit 9cf373f5ef
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=302694
11 changed files with 66 additions and 12 deletions

View file

@ -5,7 +5,7 @@
# $FreeBSD$
#
DISTVERSION?= 8.3.19
DISTVERSION?= 8.3.20
PORTREVISION?= 0
PKGNAMESUFFIX?= -server

View file

@ -1,4 +1,4 @@
SHA256 (postgresql/postgresql-8.3.19.tar.bz2) = 986f0d4b7edc633be1d210f27dfd1e47d416b642659e568895218466e50b58d5
SIZE (postgresql/postgresql-8.3.19.tar.bz2) = 14570746
SHA256 (postgresql/postgresql-8.3.20.tar.bz2) = 922b6165dc21739356e22ba4d53e08f3b26cd38d8fb9569d5f8fa6d239611163
SIZE (postgresql/postgresql-8.3.20.tar.bz2) = 14624435
SHA256 (postgresql/pg-8311-icu-xx-2010-05-14.diff.gz) = 44146bdb29a5a7d51c70911096ed6d265bdf09f74f0084ee7ad1883bea2f852a
SIZE (postgresql/pg-8311-icu-xx-2010-05-14.diff.gz) = 5064

View file

@ -6,7 +6,7 @@
#
PORTNAME?= postgresql
DISTVERSION?= 8.4.12
DISTVERSION?= 8.4.13
PORTREVISION?= 0
CATEGORIES?= databases
MASTER_SITES= ${MASTER_SITE_PGSQL}

View file

@ -1,4 +1,4 @@
SHA256 (postgresql/postgresql-8.4.12.tar.bz2) = 99b7b330ec183828988c7e8ec1b675393f24b10017a2e1d03b8ff48c4dfc0f77
SIZE (postgresql/postgresql-8.4.12.tar.bz2) = 14509007
SHA256 (postgresql/postgresql-8.4.13.tar.bz2) = 20dd3442a3fa3a4fb1813b58f969ce4bbc54d73194fd4fe20d6f1313edc48cb9
SIZE (postgresql/postgresql-8.4.13.tar.bz2) = 14666613
SHA256 (postgresql/pg-840-icu-2009-09-15.diff.gz) = c09d3b59340a3bb6ea754e985739d4fbb47f730d1e48a357c5585825034fc72e
SIZE (postgresql/pg-840-icu-2009-09-15.diff.gz) = 4321

View file

@ -614,8 +614,13 @@ share/postgresql/psqlrc.sample
%%GETTEXT%%share/locale/pt_BR/LC_MESSAGES/psql-8.4.mo
%%GETTEXT%%share/locale/ro/LC_MESSAGES/pg_config-8.4.mo
%%GETTEXT%%share/locale/ro/LC_MESSAGES/pgscripts-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/ecpg-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/ecpglib6-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/libpq5-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_config-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_dump-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/pgscripts-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/psql-8.4.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/libpq5-8.4.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_config-8.4.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_dump-8.4.mo

View file

@ -96,8 +96,11 @@ share/postgresql/system_views.sql
%%GETTEXT%%share/locale/ro/LC_MESSAGES/pg_resetxlog-8.4.mo
%%GETTEXT%%share/locale/ro/LC_MESSAGES/plpgsql-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/initdb-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_controldata-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_ctl-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_resetxlog-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/plpgsql-8.4.mo
%%GETTEXT%%share/locale/ru/LC_MESSAGES/postgres-8.4.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/initdb-8.4.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_controldata-8.4.mo
%%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_ctl-8.4.mo

View file

@ -5,7 +5,7 @@
# $FreeBSD$
#
DISTVERSION?= 9.0.8
DISTVERSION?= 9.0.9
PORTREVISION= 0
PKGNAMESUFFIX?= -server

View file

@ -1,4 +1,4 @@
SHA256 (postgresql/postgresql-9.0.8.tar.bz2) = a2981ba8a64b396e2111fee5a9216275e49a2e79e839152a5e4367afd44c0bc2
SIZE (postgresql/postgresql-9.0.8.tar.bz2) = 14998065
SHA256 (postgresql/postgresql-9.0.9.tar.bz2) = 87417d181a0f534fa96ba1d315a62b721f5bc22b7bb70af3f674bc1a68a5da8a
SIZE (postgresql/postgresql-9.0.9.tar.bz2) = 15008401
SHA256 (postgresql/pg-900-icu-2010-09-19.diff.gz) = 27cea46241ec814965c278330cd96f67ee03422b7758a210713a63b4b5bb77e9
SIZE (postgresql/pg-900-icu-2010-09-19.diff.gz) = 4349

View file

@ -6,7 +6,7 @@
#
PORTNAME?= postgresql
DISTVERSION?= 9.1.4
DISTVERSION?= 9.1.5
PORTREVISION?= 0
CATEGORIES?= databases
MASTER_SITES= ${MASTER_SITE_PGSQL}

View file

@ -1,4 +1,4 @@
SHA256 (postgresql/postgresql-9.1.4.tar.bz2) = a0795a8eb3ae2d1a2914b63bf143d20182835d90699915ff43567c041d3c9712
SIZE (postgresql/postgresql-9.1.4.tar.bz2) = 15631894
SHA256 (postgresql/postgresql-9.1.5.tar.bz2) = 0b889c132426fc68d8c2eb1bf112bf99cc653e9c95b5f4bbebc55cd9a8d6ce44
SIZE (postgresql/postgresql-9.1.5.tar.bz2) = 15602594
SHA256 (postgresql/pg-910-icu-2011-09-22.diff.gz) = a88094ec22a8caeffa06d7c3a6b53d19035b171dad2acb9084da0a617a93e149
SIZE (postgresql/pg-910-icu-2011-09-22.diff.gz) = 4373

View file

@ -52,6 +52,52 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="07234e78-e899-11e1-b38d-0023ae8e59f0">
<topic>databases/postgresql*-server -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><gt>8.3.*</gt><lt>8.3.20</lt></range>
<range><gt>8.4.*</gt><lt>8.4.13</lt></range>
<range><gt>9.0.*</gt><lt>9.0.9</lt></range>
<range><gt>9.1.*</gt><lt>9.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1407/">
<p>The PostgreSQL Global Development Group today released
security updates for all active branches of the PostgreSQL
database system, including versions 9.1.5, 9.0.9, 8.4.13 and
8.3.20. This update patches security holes associated with
libxml2 and libxslt, similar to those affecting other open
source projects. All users are urged to update their
installations at the first available opportunity</p>
<p>Users who are relying on the built-in XML functionality to
validate external DTDs will need to implement a workaround, as
this security patch disables that functionality. Users who are
using xslt_process() to fetch documents or stylesheets from
external URLs will no longer be able to do so. The PostgreSQL
project regrets the need to disable both of these features in
order to maintain our security standards. These security issues
with XML are substantially similar to issues patched recently
by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5
(CVE-2012-0057) projects.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3488</cvename>
<cvename>CVE-2012-3489</cvename>
<url>http://www.postgresql.org/about/news/1407/</url>
</references>
<dates>
<discovery>2012-08-17</discovery>
<entry>2012-08-17</entry>
</dates>
</vuln>
<vuln vid="db1d3340-e83b-11e1-999b-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages</topic>
<affects>