Bug 244985

Summary: databases/postgresql*-server
Product: Ports & Packages Reporter: Harrison Grundy <harrison.grundy>
Component: Individual Port(s)Assignee: Jochen Neumeister <joneum>
Status: Closed FIXED    
Severity: Affects Many People CC: girgen, joneum, ports-secteam, swills
Priority: --- Keywords: security
Version: Latest   
Hardware: Any   
OS: Any   

Description Harrison Grundy 2020-03-22 20:37:57 UTC 
9, 10, 11, and 12 need to be tagged MFH for CVE-2020-1720

r526063
Comment 1 Jochen Neumeister freebsd_committer freebsd_triage 2020-03-23 09:53:20 UTC 
take as part of ports-secteam
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-03-29 20:36:30 UTC 
A commit references this bug:

Author: girgen
Date: Sun Mar 29 19:58:17 UTC 2020
New revision: 529830
URL: https://svnweb.freebsd.org/changeset/ports/529830

Log:
  MFH: r526063 r527871

  The PostgreSQL Global Development Group has released an update to all
  supported versions of our database system, including 12.2, 11.7, 10.12,
  9.6.17, 9.5.21, and 9.4.26. This release fixes one security issue found
  in the PostgreSQL server and over 75 bugs reported over the last three
  months.

  Users should plan to update as soon as possible.

  PostgreSQL 9.4 Now EOL

  This is the last release for PostgreSQL 9.4, which will no longer
  receive security updates and bug fixes. PostgreSQL 9.4 introduced new
  features such as JSONB support, the `ALTER SYSTEM` command, the ability
  to stream logical changes to an output plugin, and more:

   https://www.postgresql.org/about/news/1557/
   https://www.postgresql.org/docs/9.4/release-9-4.html

  While we are very proud of this release, these features are also found
  in newer versions of PostgreSQL. Many of these features have also
  received improvements, and, per our versioning policy, it is time to
  retire PostgreSQL 9.4.

  To receive continued support, we suggest that you make plans to upgrade
  to a newer, supported version of PostgreSQL. Please see the PostgreSQL
  versioning policy for more information.

  Security Issues

  * CVE-2020-1720: `ALTER ... DEPENDS ON EXTENSION` is missing
  authorization checks.

  Versions Affected: 9.6 - 12

  The `ALTER ... DEPENDS ON EXTENSION` sub-commands do not perform
  authorization checks, which can allow an unprivileged user to  drop any
  function, procedure, materialized view, index, or trigger under certain
  conditions. This attack is possible if an administrator has installed an
  extension and an unprivileged user can `CREATE`, or an extension owner
  either executes `DROP EXTENSION` predictably or can be convinced to
  execute `DROP EXTENSION`.

  Release notes: https://www.postgresql.org/docs/current/release.html

  databases/postgresql12-server: fix build on GCC architectures

  Use LLVM only if Clang is used.

  PR:		244225, 244985
  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/databases/postgresql10-server/Makefile
  branches/2020Q1/databases/postgresql10-server/distinfo
  branches/2020Q1/databases/postgresql11-server/Makefile
  branches/2020Q1/databases/postgresql11-server/distinfo
  branches/2020Q1/databases/postgresql12-server/Makefile
  branches/2020Q1/databases/postgresql12-server/distinfo
  branches/2020Q1/databases/postgresql12-server/pkg-plist-client
  branches/2020Q1/databases/postgresql12-server/pkg-plist-server
  branches/2020Q1/databases/postgresql94-server/Makefile
  branches/2020Q1/databases/postgresql94-server/distinfo
  branches/2020Q1/databases/postgresql95-server/Makefile
  branches/2020Q1/databases/postgresql95-server/distinfo
  branches/2020Q1/databases/postgresql96-server/Makefile
  branches/2020Q1/databases/postgresql96-server/distinfo