Fixes the following security issues:
- CVE-2020-1720: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
https://www.postgresql.org/about/news/2011/
Update the license hash for a change in copyright years:
-Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2019-10129: Memory disclosure in partition routing
Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes
of server memory by executing a purpose-crafted INSERT statement to a
partitioned table.
CVE-2019-10130: Selectivity estimators bypass row security policies
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior to
this release, a user able to execute SQL queries with permissions to read a
given column could craft a leaky operator that could read whatever data had
been sampled from that column. If this happened to include values from rows
that the user is forbidden to see by a row security policy, the user could
effectively bypass the policy. This is fixed by only allowing a
non-leakproof operator to use this data if there are no relevant row
security policies for the table.
For more details, see the release notes:
https://www.postgresql.org/about/news/1939/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5ea93e24cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
During activation, pg_ctl uses exec to start the db server, which causes
the service to never finish activating when Type=forking. Upstream
recommends configuring --with-systemd and using Type=notify.
https://www.postgresql.org/docs/10/static/server-start.html
Upstream says:
When using systemd, you can use the following service unit file
[...]
Using Type=notify requires that the server binary was built with
configure --with-systemd.
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The postgresql package is now built with --with-libxml if
BR2_PACKAGE_LIBXML2 is selected to allow the use of XML functions in
postgresql.
Signed-off-by: Daniel Deterding <dde@innovaphone.com>
Signed-off-by: Thomas Ehrhardt <tehrhardt@innovaphone.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Some external packages call pg_config to determine the installed PostgreSQL
version. Add this output to Buildroots own pg_config, so these packages
correctly compile.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Add a hash for the license file.
- PostgreSQL 10.0 and above will default to checking for /dev/urandom if an
SSL library is not found, which will fail when cross compiling.
Since /dev/urandom is guaranteed to be provided on Linux systems,
add ac_cv_file__dev_urandom=yes to the configure environment if a SSL library
is not selected.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
[Thomas: minor tweaks to the /dev/urandom comment in the .mk file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the following security issues:
CVE-2017-12172: Start scripts permit database administrator to modify
root-owned files.
CVE-2017-15098: Memory disclosure in JSON functions.
CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT
privileges.
See the announcement for more details:
https://www.postgresql.org/about/news/1801/
While we're at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Just needed to add --with-ldap to POSTGRESQL_CONF_OPTS and add openldap
to POSTGRESQL_DEPENDENCIES when BR2_PACKAGE_OPENLDAP is on
Signed-off-by: Chris Frederick <cdf123@cdf123.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-5423 - CASE/WHEN with inlining can cause untrusted pointer
dereference (bsc#993454).
CVE-2016-5424 - Fix client programs' handling of special characters in
database and role names (bsc#993453).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-0766 - privilege escalation issue for users of PL/Java.
CVE-2016-0773 - issue with regular expression (regex) parsing. Prior
code allowed users to pass in expressions which included out-of-range
Unicode characters, triggering a backend crash. This issue is critical
for PostgreSQL systems with untrusted users or which generate regexes
based on user input.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-5289: json or jsonb input values constructed from arbitrary
user input can crash the PostgreSQL server and cause a denial of
service.
CVE-2015-5288: The crypt() function included with the optional pgCrypto
extension could be exploited to read a few additional bytes of memory.
No working exploit for this issue has been developed.
sparc build fix patch upstream so drop it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The 'ZIC=$$(ZIC)' assignment is seen as 'ZIC=$(ZIC)' by the shell, that
interprets that as command substitution causing an error like:
/bin/sh: ZIC: command not found
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- overwrite platform support with linux template
- disable spinlock support
[Thomas: use the --with-template=linux option unconditionally.]
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Assist configure IPv6 support detection for uclibc,
fixes the following uclibc compile failure:
auth.c: In function ‘CheckRADIUSAuth’:
auth.c:2379:24: error: ‘in6addr_any’ undeclared (first use in this function)
localaddr.sin6_addr = in6addr_any;
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
