202957 – databases/pgbouncer: update 1.5.5 -> 1.6.1

Bug 202957 - databases/pgbouncer: update 1.5.5 -> 1.6.1

Summary: databases/pgbouncer: update 1.5.5 -> 1.6.1

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Jason Unovitch

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-07 19:40 UTC by m.tsatsenko
Modified:	2015-09-09 14:24 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	junovitch: merge-quarterly-

Attachments
the patch (2.76 KB, patch) 2015-09-07 19:40 UTC, m.tsatsenko	no flags	Details \| Diff
the patch (2.30 KB, patch) 2015-09-08 20:55 UTC, m.tsatsenko	no flags	Details \| Diff
pgbouncer-1.6.1.patch (2.18 KB, patch) 2015-09-09 13:45 UTC, Jason Unovitch	no flags	Details \| Diff
security/vuxml for pgbouncer 1.6.0 (1.44 KB, patch) 2015-09-09 13:53 UTC, Jason Unovitch	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description m.tsatsenko 2015-09-07 19:40:17 UTC

- Update to 1.6

Build log: http://pkg.tsatsenko.ru/logs/bulk/93amd64-default/2015-09-07_22h37m06s/logs/pgbouncer-1.6.log

Comment 1 m.tsatsenko 2015-09-07 19:40:51 UTC

Created attachment 160819 [details]
the patch

Comment 2 Jason Unovitch freebsd_committer

2015-09-07 22:05:41 UTC

Take PR. However, can you please update this to 1.6.1?  See http://www.openwall.com/lists/oss-security/2015/09/04/3, https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/, or https://github.com/pgbouncer/pgbouncer/issues/69.

Comment 3 m.tsatsenko 2015-09-08 20:55:19 UTC

Created attachment 160846 [details]
the patch

Hi,
Thanks for feedback.

Updated patch attached.

Build log: http://pkg.tsatsenko.ru/logs/bulk/93amd64-default/2015-09-08_23h51m31s/logs/pgbouncer-1.6.1.log

Comment 4 Jason Unovitch freebsd_committer

2015-09-09 13:45:53 UTC

Created attachment 160858 [details]
pgbouncer-1.6.1.patch

* obsolete 1.6.1 patch *

I made a very small change adding the HTTP mirror to make portlint happy.

WARN: Makefile: no ftp/http mirror in MASTER_SITES for users behind a proxy.

Log:
databases/pgbouncer: update 1.5.5 -> 1.6.1

While here, add HTTP mirror to address portlint

PR:		202957
Submitted by:	m.tsatsenko@gmail.com (maintainer)

Comment 5 Jason Unovitch freebsd_committer

2015-09-09 13:53:04 UTC

Created attachment 160859 [details]
security/vuxml for pgbouncer 1.6.0

In the interest of being thorough, security/vuxml to address the issue in 1.6.0.  Users of ports as is won't be impacted by this so I don't plan on tagging the update as security related or MFH worthy, but let's make an entry to cover the edge case of a user who manually updated their port to 1.6.0 and did a `make makesum` followed by a local install.

Log:
Document pgbouncer failed auth_query lookups falling back to auth_user

Note the vulnerable version was not committed to ports, however document
the issue in the interest of being thorough and catching any user who made
this as a local change.

PR:		202957
Security:	CVE-2015-6817
Security:	d76961da-56f6-11e5-934b-002590263bf5

Validation:
 % make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.5
0 problem(s) in the installed packages found.
% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.6.0
pgbouncer-1.6.0 is vulnerable:
pgbouncer -- failed auth_query lookup leads to connection as auth_user
CVE: CVE-2015-6817
WWW: https://vuxml.FreeBSD.org/freebsd/d76961da-56f6-11e5-934b-002590263bf5.html

1 problem(s) in the installed packages found.
% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.6.1
0 problem(s) in the installed packages found.

Comment 6 Jason Unovitch freebsd_committer

2015-09-09 13:59:23 UTC

Poudriere testport builds were successful on the following:

9.3-RELEASE-p24      amd64
9.3-RELEASE-p24      i386
10.1-RELEASE-p19     amd64
10.1-RELEASE-p19     i386
10.2-RELEASE-p2      amd64
10.2-RELEASE-p2      i386
11.0-CURRENT r286886 amd64
11.0-CURRENT r286888 i386
11.0-CURRENT r287501 arm.armv6

Comment 7 commit-hook freebsd_committer

2015-09-09 14:19:17 UTC

A commit references this bug:

Author: junovitch
Date: Wed Sep  9 14:18:41 UTC 2015
New revision: 396503
URL: https://svnweb.freebsd.org/changeset/ports/396503

Log:
  Document pgbouncer failed auth_query lookups falling back to auth_user

  Note the vulnerable version was not committed to ports, however document
  the issue in the interest of being thorough and catching any user who
  made this as a local change.

  PR:		202957
  Security:	CVE-2015-6817
  Security:	d76961da-56f6-11e5-934b-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml

Comment 8 commit-hook freebsd_committer

2015-09-09 14:20:19 UTC

A commit references this bug:

Author: junovitch
Date: Wed Sep  9 14:20:04 UTC 2015
New revision: 396504
URL: https://svnweb.freebsd.org/changeset/ports/396504

Log:
  databases/pgbouncer: update 1.5.5 -> 1.6.1

  While here, add HTTP mirror to address portlint

  PR:		202957
  Submitted by:	m.tsatsenko@gmail.com (maintainer)
  Approved by:	feld (mentor)

Changes:
  head/databases/pgbouncer/Makefile
  head/databases/pgbouncer/distinfo
  head/databases/pgbouncer/files/patch-keepalive

Comment 9 Jason Unovitch freebsd_committer

2015-09-09 14:24:33 UTC

Thanks!

Update committed.  Re-titling PR to reflect actual version change as well as setting merge-quarterly- given that we don't need to MFH this as a security fix.