From 7f4822d46a839d75ff652fa2d124b18fbed4d90e Mon Sep 17 00:00:00 2001 From: Palle Girgensohn Date: Thu, 4 Apr 2013 13:21:22 +0000 Subject: The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security vulnerability in versions 9.0 and later. All users of the affected versions are strongly urged to apply the update *immediately*. A major security issue (for versions 9.x only) fixed in this release, [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899), makes it possible for a connection request containing a database name that begins with "-" to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center. Two lesser security fixes are also included in this release: [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900), wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess (all versions), and [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901), which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups (for versions 9.x only). Approved by: portmgr (bdrewery) URL: http://www.postgresql.org/about/news/1456/ Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899 Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900 Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901 --- databases/postgresql83-server/Makefile | 2 +- .../postgresql83-server/files/patch-ssl-init-state | 25 ++++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 databases/postgresql83-server/files/patch-ssl-init-state (limited to 'databases/postgresql83-server') diff --git a/databases/postgresql83-server/Makefile b/databases/postgresql83-server/Makefile index 0ec17f90a23c..bd580c1df9a1 100644 --- a/databases/postgresql83-server/Makefile +++ b/databases/postgresql83-server/Makefile @@ -6,7 +6,7 @@ # DISTVERSION?= 8.3.23 -PORTREVISION?= 0 +PORTREVISION?= 1 PKGNAMESUFFIX?= -server MAINTAINER?= pgsql@FreeBSD.org diff --git a/databases/postgresql83-server/files/patch-ssl-init-state b/databases/postgresql83-server/files/patch-ssl-init-state new file mode 100644 index 000000000000..edfc33622410 --- /dev/null +++ b/databases/postgresql83-server/files/patch-ssl-init-state @@ -0,0 +1,25 @@ +--- src/backend/postmaster/fork_process.c.orig 2013-02-04 22:29:07.000000000 +0100 ++++ src/backend/postmaster/fork_process.c 2013-04-02 12:57:18.489126586 +0200 +@@ -15,6 +15,9 @@ + #include + #include + #include ++#ifdef USE_SSL ++#include ++#endif + + #ifndef WIN32 + /* +@@ -60,6 +63,12 @@ + setitimer(ITIMER_PROF, &prof_itimer, NULL); + #endif + ++ /* ++ * Make sure processes do not share OpenSSL randomness state. ++ */ ++#ifdef USE_SSL ++ RAND_cleanup(); ++#endif + } + + return result; -- cgit v1.2.3