supported versions of our database system, including 11.5, 10.10,
9.6.15, 9.5.19, and 9.4.24, as well as the third beta of PostgreSQL 12.
This release fixes two security issues in the PostgreSQL server, two
security issues found in one of the PostgreSQL Windows installers, and
over 40 bugs reported since the previous release.
Users should install these updates as soon as possible.
A Note on the PostgreSQL 12 Beta
================================
In the spirit of the open source PostgreSQL community, we strongly
encourage you to test the new features of PostgreSQL 12 in your database
systems to help us eliminate any bugs or other issues that may exist.
While we do not advise you to run PostgreSQL 12 Beta 3 in your
production environments, we encourage you to find ways to run your
typical application workloads against this beta release.
Your testing and feedback will help the community ensure that the
PostgreSQL 12 release upholds our standards of providing a stable,
reliable release of the world's most advanced open source relational
database.
Security Issues
===============
Two security vulnerabilities have been closed by this release:
* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during
`SECURITY DEFINER` execution
Versions Affected: 9.4 - 11
Given a suitable `SECURITY DEFINER` function, an attacker can execute
arbitrary SQL under the identity of the function owner. An attack
requires `EXECUTE` permission on the function, which must itself contain
a function call having inexact argument type match. For example,
`length('foo'::varchar)` and `length('foo')` are inexact, while
`length('foo'::text)` is exact. As part of exploiting this
vulnerability, the attacker uses `CREATE DOMAIN` to create a type in a
`pg_temp` schema. The attack pattern and fix are similar to that for
CVE-2007-2138.
Writing `SECURITY DEFINER` functions continues to require following the
considerations noted in the documentation:
https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
The PostgreSQL project thanks Tom Lane for reporting this problem.
* CVE-2019-10209: Memory disclosure in cross-type comparison for hashed
subplan
Versions Affected: 11
In a database containing hypothetical, user-defined hash equality operators, an attacker could read arbitrary bytes of server memory. For an attack to become possible, a superuser would need to create unusual operators. It is possible for operators not purpose-crafted for attack to have the properties that enable an attack, but we are not aware of specific examples.
The PostgreSQL project thanks Andreas Seltenreich for reporting this problem.
$ cat >foo.cr
require "http/client"
HTTP::Client.get "http://api.icndb.com/jokes/1"
$ crystal foo.cr
[warn] event_reinit: forked from the event_loop.
Unhandled exception in spawn: Error reinitializing libevent (Exception)
[warn] event_reinit: forked from the event_loop.
Unhandled exception in spawn: Error reinitializing libevent (Exception)
[warn] event_reinit: forked from the event_loop.
Unhandled exception in spawn: Error reinitializing libevent (Exception)
[warn] event_reinit: forked from the event_loop.
[warn] event_reinit: forked from the event_loop.
[...]
PR: 206355
Reported by: Petr Fischer
Submitted by: Walter Schwarzenfeld
Approved by: Greg V (maintainer)
jp is a dead simple terminal plots from JSON (or CSV) data. Bar charts,
line charts, scatter plots, histograms and heatmaps are supported. It reads
data on stdin and prints plots to stdout.
WWW: https://github.com/sgreben/jp
PR: 227271
- Add a build conflict for commonmark-cmark-* when DOCS are enabled.
This prevents a failure later on in the build. [0]
- Add a new option BE_AMDGPU which can be used to enable the AMDGPU
backed used by mesa when BE_NATIVE or BE_FREEBSD is set. Enable this
option by default to limit later surprises. [1]
- Use LLVM_ENABLE_Z3_SOLVER instead of the now removed
CLANG_ANALYZER_ENABLE_Z3_SOLVER to disable Z3 discovery and linkage.
PR: 239636 [0], 230789 [1]
* docs from 2006 (probably out-of-date)
- pet portlint
- bump portrevision
Old docs are still accessible here:
https://people.freebsd.org/~mezz/distfiles/
M fluxbox/Makefile
M fluxbox/distinfo
M fluxbox/files/patch-util_fbsetbg
* Sort variables according the PHB while I'm here.
Changelog:
* Fixed: Out-of-bound write and few minor bugs on configuration saving in
admin
* Fixed: $ is not correctly handled in the beginning of quoted line on
configuration parsing
https://github.com/z3APA3A/3proxy/releases/tag/0.8.13
PR: 239677
Submitted by: timp87@gmail.com (maintainer)
MFH: 2019Q3 (bugfix blanket)
Release Notes [1]
* Added extra validation for SQLAllocHandle (SQL_HANDLE_DESC, ...)
* Added GCC __attribute__ for checking format string
* Added missing define SQL_CONVERT_GUID
* Fixed issue using heap after free in SQLConnect_internal
* Fixed issue with global mutex in SQLError, SQLGetDiagRec, and SQLGetDiagField
* Fixed SQLSetStmtAttr to cache the correct values for SQL_ATTR_ROW_ARRAY_SIZE and SQL_ATTR_ROW_BIND_TYPE
* Fixed format specifiers and some casts to fix trace output
* Fixed missing check for section in SQLGetPrivateProfileString
* Fixed non-void function needs to return a value
* Fixed issue in Mac Cocoa code
* Fixed iODBC apps/frameworks CFBundleGetInfoString attribute
* Fixes an issue where build fails on Alpine
* Fixed package versioning
* Fixed small memory leaks
[1] http://www.iodbc.org/dataspace/doc/iodbc/wiki/iodbcWiki/ChangeNotes#2019-07-23%20-%20iODBC%20Stable%20Version%203.52.13%20Released
