The PostgreSQL Global Development Group today released security updates for all active branches

of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This update patches security holes associated with libxml2 and libxslt, similar to those affecting other open source projects. All users are urged to update their installations at the first available opportunity. This security release fixes a vulnerability in the built-in XML functionality, and a vulnerability in the XSLT functionality supplied by the optional XML2 extension. Both vulnerabilities allow reading of arbitrary files by any authenticated database user, and the XSLT vulnerability allows writing files as well. The fixes cause limited backwards compatibility issues. These issues correspond to the following two vulnerabilities: CVE-2012-3488: PostgreSQL insecure use of libxslt CVE-2012-3489: PostgreSQL insecure use of libxml2 This release also contains several fixes to version 9.1, and a smaller number of fixes to older versions, including: Updates and corrections to time zone data Multiple documentation updates and corrections Add limit on max_wal_senders Fix dependencies generated during ALTER TABLE ADD CONSTRAINT USING INDEX. Correct behavior of unicode conversions for PL/Python Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT). Fix syslogger so that log_truncate_on_rotation works in the first rotation. Only allow autovacuum to be auto-canceled by a directly blocked process. Improve fsync request queue operation Prevent corner-case core dump in rfree(). Fix Walsender so that it responds correctly to timeouts and deadlocks Several PL/Perl fixes for encoding-related issues Make selectivity operators use the correct collation Prevent unsuitable slaves from being selected for synchronous replication Make REASSIGN OWNED work on extensions as well Fix race condition with ENUM comparisons Make NOTIFY cope with out-of-disk-space Fix memory leak in ARRAY subselect queries Reduce data loss at replication failover Fix behavior of subtransactions with Hot Standby
author: Jason Helfman <jgh@FreeBSD.org> 2012-08-17 19:39:51 +0000
committer: Jason Helfman <jgh@FreeBSD.org> 2012-08-17 19:39:51 +0000
commit: 9cf373f5efd4db60af1683e91f2a9e359562622c (patch)
tree: 0d6151a4140798b5267168b4a115f7702fbce822
parent: - Update to 6.3.12 (diff)
11 files changed, 66 insertions, 12 deletions
diff --git a/databases/postgresql83-server/Makefile b/databases/postgresql83-server/Makefile
index 43812a8120a0..75ecd1b53702 100644
--- a/databases/postgresql83-server/Makefile
+++ b/databases/postgresql83-server/Makefile
@@ -5,7 +5,7 @@
 # $FreeBSD$
 #
 
-DISTVERSION?=	8.3.19
+DISTVERSION?=	8.3.20
 PORTREVISION?=	0
 PKGNAMESUFFIX?=	-server
 
diff --git a/databases/postgresql83-server/distinfo b/databases/postgresql83-server/distinfo
index beae06179ecc..42b6a47596ac 100644
--- a/databases/postgresql83-server/distinfo
+++ b/databases/postgresql83-server/distinfo
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-8.3.19.tar.bz2) = 986f0d4b7edc633be1d210f27dfd1e47d416b642659e568895218466e50b58d5
-SIZE (postgresql/postgresql-8.3.19.tar.bz2) = 14570746
+SHA256 (postgresql/postgresql-8.3.20.tar.bz2) = 922b6165dc21739356e22ba4d53e08f3b26cd38d8fb9569d5f8fa6d239611163
+SIZE (postgresql/postgresql-8.3.20.tar.bz2) = 14624435
 SHA256 (postgresql/pg-8311-icu-xx-2010-05-14.diff.gz) = 44146bdb29a5a7d51c70911096ed6d265bdf09f74f0084ee7ad1883bea2f852a
 SIZE (postgresql/pg-8311-icu-xx-2010-05-14.diff.gz) = 5064
diff --git a/databases/postgresql84-server/Makefile b/databases/postgresql84-server/Makefile
index fe71d32a04a7..8f1932419e52 100644
--- a/databases/postgresql84-server/Makefile
+++ b/databases/postgresql84-server/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME?=	postgresql
-DISTVERSION?=	8.4.12
+DISTVERSION?=	8.4.13
 PORTREVISION?=	0
 CATEGORIES?=	databases
 MASTER_SITES=	${MASTER_SITE_PGSQL}
diff --git a/databases/postgresql84-server/distinfo b/databases/postgresql84-server/distinfo
index 03b93cae580f..27ffbcf371c7 100644
--- a/databases/postgresql84-server/distinfo
+++ b/databases/postgresql84-server/distinfo
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-8.4.12.tar.bz2) = 99b7b330ec183828988c7e8ec1b675393f24b10017a2e1d03b8ff48c4dfc0f77
-SIZE (postgresql/postgresql-8.4.12.tar.bz2) = 14509007
+SHA256 (postgresql/postgresql-8.4.13.tar.bz2) = 20dd3442a3fa3a4fb1813b58f969ce4bbc54d73194fd4fe20d6f1313edc48cb9
+SIZE (postgresql/postgresql-8.4.13.tar.bz2) = 14666613
 SHA256 (postgresql/pg-840-icu-2009-09-15.diff.gz) = c09d3b59340a3bb6ea754e985739d4fbb47f730d1e48a357c5585825034fc72e
 SIZE (postgresql/pg-840-icu-2009-09-15.diff.gz) = 4321
diff --git a/databases/postgresql84-server/pkg-plist-client b/databases/postgresql84-server/pkg-plist-client
index 2e927c11d771..d1e1d7cd7c27 100644
--- a/databases/postgresql84-server/pkg-plist-client
+++ b/databases/postgresql84-server/pkg-plist-client
@@ -614,8 +614,13 @@ share/postgresql/psqlrc.sample
 %%GETTEXT%%share/locale/pt_BR/LC_MESSAGES/psql-8.4.mo
 %%GETTEXT%%share/locale/ro/LC_MESSAGES/pg_config-8.4.mo
 %%GETTEXT%%share/locale/ro/LC_MESSAGES/pgscripts-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/ecpg-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/ecpglib6-8.4.mo
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/libpq5-8.4.mo
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_config-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_dump-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/pgscripts-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/psql-8.4.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/libpq5-8.4.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_config-8.4.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_dump-8.4.mo
diff --git a/databases/postgresql84-server/pkg-plist-server b/databases/postgresql84-server/pkg-plist-server
index ab8330ece20f..66a9d39a8edb 100644
--- a/databases/postgresql84-server/pkg-plist-server
+++ b/databases/postgresql84-server/pkg-plist-server
@@ -96,8 +96,11 @@ share/postgresql/system_views.sql
 %%GETTEXT%%share/locale/ro/LC_MESSAGES/pg_resetxlog-8.4.mo
 %%GETTEXT%%share/locale/ro/LC_MESSAGES/plpgsql-8.4.mo
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/initdb-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_controldata-8.4.mo
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_ctl-8.4.mo
 %%GETTEXT%%share/locale/ru/LC_MESSAGES/pg_resetxlog-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/plpgsql-8.4.mo
+%%GETTEXT%%share/locale/ru/LC_MESSAGES/postgres-8.4.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/initdb-8.4.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_controldata-8.4.mo
 %%GETTEXT%%share/locale/sv/LC_MESSAGES/pg_ctl-8.4.mo
diff --git a/databases/postgresql90-server/Makefile b/databases/postgresql90-server/Makefile
index 0dd6904d9a12..4c9c8f9350a2 100644
--- a/databases/postgresql90-server/Makefile
+++ b/databases/postgresql90-server/Makefile
@@ -5,7 +5,7 @@
 # $FreeBSD$
 #
 
-DISTVERSION?=	9.0.8
+DISTVERSION?=	9.0.9
 PORTREVISION=	0
 PKGNAMESUFFIX?=	-server
 
diff --git a/databases/postgresql90-server/distinfo b/databases/postgresql90-server/distinfo
index 9766fc2ac865..0a93f0b18270 100644
--- a/databases/postgresql90-server/distinfo
+++ b/databases/postgresql90-server/distinfo
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.0.8.tar.bz2) = a2981ba8a64b396e2111fee5a9216275e49a2e79e839152a5e4367afd44c0bc2
-SIZE (postgresql/postgresql-9.0.8.tar.bz2) = 14998065
+SHA256 (postgresql/postgresql-9.0.9.tar.bz2) = 87417d181a0f534fa96ba1d315a62b721f5bc22b7bb70af3f674bc1a68a5da8a
+SIZE (postgresql/postgresql-9.0.9.tar.bz2) = 15008401
 SHA256 (postgresql/pg-900-icu-2010-09-19.diff.gz) = 27cea46241ec814965c278330cd96f67ee03422b7758a210713a63b4b5bb77e9
 SIZE (postgresql/pg-900-icu-2010-09-19.diff.gz) = 4349
diff --git a/databases/postgresql91-server/Makefile b/databases/postgresql91-server/Makefile
index f5c74ba44435..f0f8d2f5fee2 100644
--- a/databases/postgresql91-server/Makefile
+++ b/databases/postgresql91-server/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME?=	postgresql
-DISTVERSION?=	9.1.4
+DISTVERSION?=	9.1.5
 PORTREVISION?=	0
 CATEGORIES?=	databases
 MASTER_SITES=	${MASTER_SITE_PGSQL}
diff --git a/databases/postgresql91-server/distinfo b/databases/postgresql91-server/distinfo
index 7294277156f3..f37fc6021335 100644
--- a/databases/postgresql91-server/distinfo
+++ b/databases/postgresql91-server/distinfo
@@ -1,4 +1,4 @@
-SHA256 (postgresql/postgresql-9.1.4.tar.bz2) = a0795a8eb3ae2d1a2914b63bf143d20182835d90699915ff43567c041d3c9712
-SIZE (postgresql/postgresql-9.1.4.tar.bz2) = 15631894
+SHA256 (postgresql/postgresql-9.1.5.tar.bz2) = 0b889c132426fc68d8c2eb1bf112bf99cc653e9c95b5f4bbebc55cd9a8d6ce44
+SIZE (postgresql/postgresql-9.1.5.tar.bz2) = 15602594
 SHA256 (postgresql/pg-910-icu-2011-09-22.diff.gz) = a88094ec22a8caeffa06d7c3a6b53d19035b171dad2acb9084da0a617a93e149
 SIZE (postgresql/pg-910-icu-2011-09-22.diff.gz) = 4373
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index d3f27dfbcab5..c5264840e81e 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -52,6 +52,52 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="07234e78-e899-11e1-b38d-0023ae8e59f0">
+    <topic>databases/postgresql*-server -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>postgresql-server</name>
+	<range><gt>8.3.*</gt><lt>8.3.20</lt></range>
+	<range><gt>8.4.*</gt><lt>8.4.13</lt></range>
+	<range><gt>9.0.*</gt><lt>9.0.9</lt></range>
+	<range><gt>9.1.*</gt><lt>9.1.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The PostgreSQL Global Development Group reports:</p>
+	<blockquote cite="http://www.postgresql.org/about/news/1407/">
+	  <p>The PostgreSQL Global Development Group today released
+	    security updates for all active branches of the PostgreSQL
+	    database system, including versions 9.1.5, 9.0.9, 8.4.13 and
+	    8.3.20. This update patches security holes associated with
+	    libxml2 and libxslt, similar to those affecting other open
+	    source projects. All users are urged to update their
+	    installations at the first available opportunity</p>
+	  <p>Users who are relying on the built-in XML functionality to
+	    validate external DTDs will need to implement a workaround, as
+	    this security patch disables that functionality. Users who are
+	    using xslt_process() to fetch documents or stylesheets from
+	    external URLs will no longer be able to do so. The PostgreSQL
+	    project regrets the need to disable both of these features in
+	    order to maintain our security standards. These security issues
+	    with XML are substantially similar to issues patched recently
+	    by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5
+	    (CVE-2012-0057) projects.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-3488</cvename>
+      <cvename>CVE-2012-3489</cvename>
+      <url>http://www.postgresql.org/about/news/1407/</url>
+    </references>
+    <dates>
+      <discovery>2012-08-17</discovery>
+      <entry>2012-08-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="db1d3340-e83b-11e1-999b-e0cb4e266481">
     <topic>phpMyAdmin -- Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages</topic>
     <affects>
author	Jason Helfman <jgh@FreeBSD.org>	2012-08-17 19:39:51 +0000
committer	Jason Helfman <jgh@FreeBSD.org>	2012-08-17 19:39:51 +0000
commit	9cf373f5efd4db60af1683e91f2a9e359562622c (patch)
tree	0d6151a4140798b5267168b4a115f7702fbce822
parent	- Update to 6.3.12 (diff)