Bug 198588 - databases/postgresql94-server default dependency on libxml2
Summary: databases/postgresql94-server default dependency on libxml2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: pgsql
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-15 01:24 UTC by mij@sshguard.net
Modified: 2018-09-25 15:57 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (pgsql)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mij@sshguard.net 2015-03-15 01:24:16 UTC
Hello folks,

Thanks for maintaining PostgreSQL so efficiently on FreeBSD!

The port's default config is to have "XML" enabled by default. This adds a dependency to libxml2, one of the ports with the worst security history [1]. This has 3 consequences:

* bigger maintenance burden -- rebuilding the DBMS upon any libxml2 vulnerability, i.e. multiple/many times per year
* lower uptime -- restarting the DBMS for every rebuild
* lower security in default installation -- postgresql insecure when libxml2 is

The vanilla distribution of PostgreSQL has this disabled by default itself.

I open for discussion if this default build option is worth maintaining. Do the majority of users make use of it? If not, I suggest making if off.

cheers
michele

[1] https://web.nvd.nist.gov/view/vuln/search-results?query=libxml2&search_type=last3years&cves=on
Comment 1 Walter Schwarzenfeld freebsd_triage 2018-01-09 05:18:15 UTC
XML=on: Build with XML data type
is still on
Comment 2 Palle Girgensohn freebsd_committer freebsd_triage 2018-02-08 17:43:27 UTC
I'll change this with next upgrade of the port. It could into a FLAVOR perhaps?
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-08-10 09:25:41 UTC
A commit references this bug:

Author: girgen
Date: Fri Aug 10 09:25:24 UTC 2018
New revision: 476819
URL: https://svnweb.freebsd.org/changeset/ports/476819

Log:
  The PostgreSQL Global Development Group has released an update to all supported
  versions of our database system, including 10.5, 9.6.10, 9.5.14, 9.4.19,
  9.3.24.  This release fixes two security issues as well as bugs reported over
  the last three months.

  If you have untrusted users accessing your system and you are either running
  PostgreSQL 9.5 or a newer version OR have installed the "dblink" or
  "postgres_fdw" extensions, you must apply this update as soon as possible. All
  other users can upgrade at the next convenient downtime.

  Please note that PostgreSQL changed its versioning scheme with the release of
  version 10.0, so updating to version 10.5 from any 10.x release is considered a
  minor update.

  The PostgreSQL Global Development Group also announces that the third beta
  release of PostgreSQL 11 is now available for download. This release contains
  previews of all features that will be available in the final release of
  PostgreSQL 11 (though some details of the release could change before then) as
  well as bug fixes that were reported during the second beta.

  This release also changes the default option for the server packages to *not*
  include XML support per default. If you need this, please check the XML option
  knob and build the port.

  Releasenotes:	https://www.postgresql.org/about/news/1878/
  PR:		229523, 198588
  Security:	96eab874-9c79-11e8-b34b-6cc21735f730
  Security:	CVE-2018-10915, CVE-2018-10925

Changes:
  head/UPDATING
  head/databases/postgresql10-server/Makefile
  head/databases/postgresql10-server/distinfo
  head/databases/postgresql10-server/pkg-plist-client
  head/databases/postgresql10-server/pkg-plist-server
  head/databases/postgresql93-server/Makefile
  head/databases/postgresql93-server/distinfo
  head/databases/postgresql93-server/pkg-plist-client
  head/databases/postgresql94-server/Makefile
  head/databases/postgresql94-server/distinfo
  head/databases/postgresql94-server/pkg-plist-client
  head/databases/postgresql94-server/pkg-plist-server
  head/databases/postgresql95-server/Makefile
  head/databases/postgresql95-server/distinfo
  head/databases/postgresql95-server/pkg-plist-client
  head/databases/postgresql95-server/pkg-plist-server
  head/databases/postgresql96-server/Makefile
  head/databases/postgresql96-server/distinfo
  head/databases/postgresql96-server/pkg-plist-client
  head/databases/postgresql96-server/pkg-plist-server
Comment 4 Palle Girgensohn freebsd_committer freebsd_triage 2018-08-10 09:44:46 UTC
Committed. Thanks!
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-09-25 15:57:42 UTC
A commit references this bug:

Author: girgen
Date: Tue Sep 25 15:57:10 UTC 2018
New revision: 480671
URL: https://svnweb.freebsd.org/changeset/ports/480671

Log:
  MFH: r476819

  The PostgreSQL Global Development Group has released an update to all supported
  versions of our database system, including 10.5, 9.6.10, 9.5.14, 9.4.19,
  9.3.24.  This release fixes two security issues as well as bugs reported over
  the last three months.

  If you have untrusted users accessing your system and you are either running
  PostgreSQL 9.5 or a newer version OR have installed the "dblink" or
  "postgres_fdw" extensions, you must apply this update as soon as possible. All
  other users can upgrade at the next convenient downtime.

  Please note that PostgreSQL changed its versioning scheme with the release of
  version 10.0, so updating to version 10.5 from any 10.x release is considered a
  minor update.

  The PostgreSQL Global Development Group also announces that the third beta
  release of PostgreSQL 11 is now available for download. This release contains
  previews of all features that will be available in the final release of
  PostgreSQL 11 (though some details of the release could change before then) as
  well as bug fixes that were reported during the second beta.

  This release also changes the default option for the server packages to *not*
  include XML support per default. If you need this, please check the XML option
  knob and build the port.

  Releasenotes:	https://www.postgresql.org/about/news/1878/
  PR:		229523, 198588
  Security:	96eab874-9c79-11e8-b34b-6cc21735f730
  Security:	CVE-2018-10915, CVE-2018-10925

  Approved by:	ports-secteam

Changes:
_U  branches/2018Q3/
  branches/2018Q3/UPDATING
  branches/2018Q3/databases/postgresql10-server/Makefile
  branches/2018Q3/databases/postgresql10-server/distinfo
  branches/2018Q3/databases/postgresql10-server/pkg-plist-client
  branches/2018Q3/databases/postgresql10-server/pkg-plist-server
  branches/2018Q3/databases/postgresql93-server/Makefile
  branches/2018Q3/databases/postgresql93-server/distinfo
  branches/2018Q3/databases/postgresql93-server/pkg-plist-client
  branches/2018Q3/databases/postgresql94-server/Makefile
  branches/2018Q3/databases/postgresql94-server/distinfo
  branches/2018Q3/databases/postgresql94-server/pkg-plist-client
  branches/2018Q3/databases/postgresql94-server/pkg-plist-server
  branches/2018Q3/databases/postgresql95-server/Makefile
  branches/2018Q3/databases/postgresql95-server/distinfo
  branches/2018Q3/databases/postgresql95-server/pkg-plist-client
  branches/2018Q3/databases/postgresql95-server/pkg-plist-server
  branches/2018Q3/databases/postgresql96-server/Makefile
  branches/2018Q3/databases/postgresql96-server/distinfo
  branches/2018Q3/databases/postgresql96-server/pkg-plist-client
  branches/2018Q3/databases/postgresql96-server/pkg-plist-server