Hello folks, Thanks for maintaining PostgreSQL so efficiently on FreeBSD! The port's default config is to have "XML" enabled by default. This adds a dependency to libxml2, one of the ports with the worst security history [1]. This has 3 consequences: * bigger maintenance burden -- rebuilding the DBMS upon any libxml2 vulnerability, i.e. multiple/many times per year * lower uptime -- restarting the DBMS for every rebuild * lower security in default installation -- postgresql insecure when libxml2 is The vanilla distribution of PostgreSQL has this disabled by default itself. I open for discussion if this default build option is worth maintaining. Do the majority of users make use of it? If not, I suggest making if off. cheers michele [1] https://web.nvd.nist.gov/view/vuln/search-results?query=libxml2&search_type=last3years&cves=on
XML=on: Build with XML data type is still on
I'll change this with next upgrade of the port. It could into a FLAVOR perhaps?
A commit references this bug: Author: girgen Date: Fri Aug 10 09:25:24 UTC 2018 New revision: 476819 URL: https://svnweb.freebsd.org/changeset/ports/476819 Log: The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24. This release fixes two security issues as well as bugs reported over the last three months. If you have untrusted users accessing your system and you are either running PostgreSQL 9.5 or a newer version OR have installed the "dblink" or "postgres_fdw" extensions, you must apply this update as soon as possible. All other users can upgrade at the next convenient downtime. Please note that PostgreSQL changed its versioning scheme with the release of version 10.0, so updating to version 10.5 from any 10.x release is considered a minor update. The PostgreSQL Global Development Group also announces that the third beta release of PostgreSQL 11 is now available for download. This release contains previews of all features that will be available in the final release of PostgreSQL 11 (though some details of the release could change before then) as well as bug fixes that were reported during the second beta. This release also changes the default option for the server packages to *not* include XML support per default. If you need this, please check the XML option knob and build the port. Releasenotes: https://www.postgresql.org/about/news/1878/ PR: 229523, 198588 Security: 96eab874-9c79-11e8-b34b-6cc21735f730 Security: CVE-2018-10915, CVE-2018-10925 Changes: head/UPDATING head/databases/postgresql10-server/Makefile head/databases/postgresql10-server/distinfo head/databases/postgresql10-server/pkg-plist-client head/databases/postgresql10-server/pkg-plist-server head/databases/postgresql93-server/Makefile head/databases/postgresql93-server/distinfo head/databases/postgresql93-server/pkg-plist-client head/databases/postgresql94-server/Makefile head/databases/postgresql94-server/distinfo head/databases/postgresql94-server/pkg-plist-client head/databases/postgresql94-server/pkg-plist-server head/databases/postgresql95-server/Makefile head/databases/postgresql95-server/distinfo head/databases/postgresql95-server/pkg-plist-client head/databases/postgresql95-server/pkg-plist-server head/databases/postgresql96-server/Makefile head/databases/postgresql96-server/distinfo head/databases/postgresql96-server/pkg-plist-client head/databases/postgresql96-server/pkg-plist-server
Committed. Thanks!
A commit references this bug: Author: girgen Date: Tue Sep 25 15:57:10 UTC 2018 New revision: 480671 URL: https://svnweb.freebsd.org/changeset/ports/480671 Log: MFH: r476819 The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 10.5, 9.6.10, 9.5.14, 9.4.19, 9.3.24. This release fixes two security issues as well as bugs reported over the last three months. If you have untrusted users accessing your system and you are either running PostgreSQL 9.5 or a newer version OR have installed the "dblink" or "postgres_fdw" extensions, you must apply this update as soon as possible. All other users can upgrade at the next convenient downtime. Please note that PostgreSQL changed its versioning scheme with the release of version 10.0, so updating to version 10.5 from any 10.x release is considered a minor update. The PostgreSQL Global Development Group also announces that the third beta release of PostgreSQL 11 is now available for download. This release contains previews of all features that will be available in the final release of PostgreSQL 11 (though some details of the release could change before then) as well as bug fixes that were reported during the second beta. This release also changes the default option for the server packages to *not* include XML support per default. If you need this, please check the XML option knob and build the port. Releasenotes: https://www.postgresql.org/about/news/1878/ PR: 229523, 198588 Security: 96eab874-9c79-11e8-b34b-6cc21735f730 Security: CVE-2018-10915, CVE-2018-10925 Approved by: ports-secteam Changes: _U branches/2018Q3/ branches/2018Q3/UPDATING branches/2018Q3/databases/postgresql10-server/Makefile branches/2018Q3/databases/postgresql10-server/distinfo branches/2018Q3/databases/postgresql10-server/pkg-plist-client branches/2018Q3/databases/postgresql10-server/pkg-plist-server branches/2018Q3/databases/postgresql93-server/Makefile branches/2018Q3/databases/postgresql93-server/distinfo branches/2018Q3/databases/postgresql93-server/pkg-plist-client branches/2018Q3/databases/postgresql94-server/Makefile branches/2018Q3/databases/postgresql94-server/distinfo branches/2018Q3/databases/postgresql94-server/pkg-plist-client branches/2018Q3/databases/postgresql94-server/pkg-plist-server branches/2018Q3/databases/postgresql95-server/Makefile branches/2018Q3/databases/postgresql95-server/distinfo branches/2018Q3/databases/postgresql95-server/pkg-plist-client branches/2018Q3/databases/postgresql95-server/pkg-plist-server branches/2018Q3/databases/postgresql96-server/Makefile branches/2018Q3/databases/postgresql96-server/distinfo branches/2018Q3/databases/postgresql96-server/pkg-plist-client branches/2018Q3/databases/postgresql96-server/pkg-plist-server