Fixes the following security issues:
CVE-2017-12172: Start scripts permit database administrator to modify
root-owned files.
CVE-2017-15098: Memory disclosure in JSON functions.
CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT
privileges.
See the announcement for more details:
https://www.postgresql.org/about/news/1801/
While we're at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b97353f2b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues (9.6.4):
CVE-2017-7546: Empty password accepted in some authentication methods
CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
CVE-2017-7548: lo_put() function ignores ACLs
For more info, see https://www.postgresql.org/about/news/1772/
[Peter: extend commit message with security fixes info]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 95e284bd27)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Three security vulnerabilities have been closed by this release:
CVE-2017-7484: selectivity estimators bypass SELECT privilege checks
CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable
CVE-2017-7486: pg_user_mappings view discloses foreign server passwords
More details: https://www.postgresql.org/about/news/1746/
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e2bb446ff5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-5423 - CASE/WHEN with inlining can cause untrusted pointer
dereference (bsc#993454).
CVE-2016-5424 - Fix client programs' handling of special characters in
database and role names (bsc#993453).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-0766 - privilege escalation issue for users of PL/Java.
CVE-2016-0773 - issue with regular expression (regex) parsing. Prior
code allowed users to pass in expressions which included out-of-range
Unicode characters, triggering a backend crash. This issue is critical
for PostgreSQL systems with untrusted users or which generate regexes
based on user input.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-5289: json or jsonb input values constructed from arbitrary
user input can crash the PostgreSQL server and cause a denial of
service.
CVE-2015-5288: The crypt() function included with the optional pgCrypto
extension could be exploited to read a few additional bytes of memory.
No working exploit for this issue has been developed.
sparc build fix patch upstream so drop it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
