Bug 202957 - databases/pgbouncer: update 1.5.5 -> 1.6.1
Summary: databases/pgbouncer: update 1.5.5 -> 1.6.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jason Unovitch
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-07 19:40 UTC by m.tsatsenko
Modified: 2015-09-09 14:24 UTC (History)
1 user (show)

See Also:
junovitch: merge-quarterly-


Attachments
the patch (2.76 KB, patch)
2015-09-07 19:40 UTC, m.tsatsenko
no flags Details | Diff
the patch (2.30 KB, patch)
2015-09-08 20:55 UTC, m.tsatsenko
no flags Details | Diff
pgbouncer-1.6.1.patch (2.18 KB, patch)
2015-09-09 13:45 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml for pgbouncer 1.6.0 (1.44 KB, patch)
2015-09-09 13:53 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 m.tsatsenko 2015-09-07 19:40:51 UTC
Created attachment 160819 [details]
the patch
Comment 3 m.tsatsenko 2015-09-08 20:55:19 UTC
Created attachment 160846 [details]
the patch

Hi,
Thanks for feedback.

Updated patch attached.

Build log: http://pkg.tsatsenko.ru/logs/bulk/93amd64-default/2015-09-08_23h51m31s/logs/pgbouncer-1.6.1.log
Comment 4 Jason Unovitch freebsd_committer 2015-09-09 13:45:53 UTC
Created attachment 160858 [details]
pgbouncer-1.6.1.patch

* obsolete 1.6.1 patch *

I made a very small change adding the HTTP mirror to make portlint happy.

WARN: Makefile: no ftp/http mirror in MASTER_SITES for users behind a proxy.

Log:
databases/pgbouncer: update 1.5.5 -> 1.6.1

While here, add HTTP mirror to address portlint

PR:		202957
Submitted by:	m.tsatsenko@gmail.com (maintainer)
Comment 5 Jason Unovitch freebsd_committer 2015-09-09 13:53:04 UTC
Created attachment 160859 [details]
security/vuxml for pgbouncer 1.6.0

In the interest of being thorough, security/vuxml to address the issue in 1.6.0.  Users of ports as is won't be impacted by this so I don't plan on tagging the update as security related or MFH worthy, but let's make an entry to cover the edge case of a user who manually updated their port to 1.6.0 and did a `make makesum` followed by a local install.

Log:
Document pgbouncer failed auth_query lookups falling back to auth_user

Note the vulnerable version was not committed to ports, however document
the issue in the interest of being thorough and catching any user who made
this as a local change.

PR:		202957
Security:	CVE-2015-6817
Security:	d76961da-56f6-11e5-934b-002590263bf5

Validation:
 % make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.5
0 problem(s) in the installed packages found.
% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.6.0
pgbouncer-1.6.0 is vulnerable:
pgbouncer -- failed auth_query lookup leads to connection as auth_user
CVE: CVE-2015-6817
WWW: https://vuxml.FreeBSD.org/freebsd/d76961da-56f6-11e5-934b-002590263bf5.html

1 problem(s) in the installed packages found.
% env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.6.1
0 problem(s) in the installed packages found.
Comment 6 Jason Unovitch freebsd_committer 2015-09-09 13:59:23 UTC
Poudriere testport builds were successful on the following:

9.3-RELEASE-p24      amd64
9.3-RELEASE-p24      i386
10.1-RELEASE-p19     amd64
10.1-RELEASE-p19     i386
10.2-RELEASE-p2      amd64
10.2-RELEASE-p2      i386
11.0-CURRENT r286886 amd64
11.0-CURRENT r286888 i386
11.0-CURRENT r287501 arm.armv6
Comment 7 commit-hook freebsd_committer 2015-09-09 14:19:17 UTC
A commit references this bug:

Author: junovitch
Date: Wed Sep  9 14:18:41 UTC 2015
New revision: 396503
URL: https://svnweb.freebsd.org/changeset/ports/396503

Log:
  Document pgbouncer failed auth_query lookups falling back to auth_user

  Note the vulnerable version was not committed to ports, however document
  the issue in the interest of being thorough and catching any user who
  made this as a local change.

  PR:		202957
  Security:	CVE-2015-6817
  Security:	d76961da-56f6-11e5-934b-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer 2015-09-09 14:20:19 UTC
A commit references this bug:

Author: junovitch
Date: Wed Sep  9 14:20:04 UTC 2015
New revision: 396504
URL: https://svnweb.freebsd.org/changeset/ports/396504

Log:
  databases/pgbouncer: update 1.5.5 -> 1.6.1

  While here, add HTTP mirror to address portlint

  PR:		202957
  Submitted by:	m.tsatsenko@gmail.com (maintainer)
  Approved by:	feld (mentor)

Changes:
  head/databases/pgbouncer/Makefile
  head/databases/pgbouncer/distinfo
  head/databases/pgbouncer/files/patch-keepalive
Comment 9 Jason Unovitch freebsd_committer 2015-09-09 14:24:33 UTC
Thanks!

Update committed.  Re-titling PR to reflect actual version change as well as setting merge-quarterly- given that we don't need to MFH this as a security fix.