projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6606f6c)
package/postgresql: security bump to version 11.3
authorPeter Korsgaard <peter@korsgaard.com>
Thu, 9 May 2019 20:45:28 +0000 (22:45 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Fri, 10 May 2019 08:30:05 +0000 (10:30 +0200)
Fixes the following security issues:

CVE-2019-10129: Memory disclosure in partition routing

Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes
of server memory by executing a purpose-crafted INSERT statement to a
partitioned table.

CVE-2019-10130: Selectivity estimators bypass row security policies

PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process.  Prior to
this release, a user able to execute SQL queries with permissions to read a
given column could craft a leaky operator that could read whatever data had
been sampled from that column.  If this happened to include values from rows
that the user is forbidden to see by a row security policy, the user could
effectively bypass the policy.  This is fixed by only allowing a
non-leakproof operator to use this data if there are no relevant row
security policies for the table.

For more details, see the release notes:
https://www.postgresql.org/about/news/1939/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/postgresql/postgresql.hash patch | blob | history
package/postgresql/postgresql.mk patch | blob | history

diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash
index c4d7ab55bb71ed01d629b48992b21a39d58e62dd..ba6e02d4d829ae7cdff5202997dbb2d36eb91256 100644 (file)
--- a/package/postgresql/postgresql.hash
+++ b/package/postgresql/postgresql.hash
@@ -1,7 +1,7 @@
-# From https://ftp.postgresql.org/pub/source/v11.2/postgresql-11.2.tar.bz2.md5
-md5 19d43be679cb0d55363feb8926af3a0f  postgresql-11.2.tar.bz2
-# From https://ftp.postgresql.org/pub/source/v11.2/postgresql-11.2.tar.bz2.sha256
-sha256 2676b9ce09c21978032070b6794696e0aa5a476e3d21d60afc036dc0a9c09405  postgresql-11.2.tar.bz2
+# From https://ftp.postgresql.org/pub/source/v11.3/postgresql-11.3.tar.bz2.md5
+md5 c2a729b754b8de86a969c86ec25db076  postgresql-11.3.tar.bz2
+# From https://ftp.postgresql.org/pub/source/v11.3/postgresql-11.3.tar.bz2.sha256
+sha256 2a85e082fc225944821dfd23990e32dfcd2284c19060864b0ad4ca537d30522d  postgresql-11.3.tar.bz2
 
 # License file, Locally calculated
 sha256 c4c86d683970b22b9fab53320ee1b3a30ef4e8223122b4fb6be53ea62ecee8b3  COPYRIGHT
diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
index 2f2b49ca24b71bd7437af88ad7667f361e0492b5..067679bcbdbbb7d3c297af635b0949b68ae03f37 100644 (file)
--- a/package/postgresql/postgresql.mk
+++ b/package/postgresql/postgresql.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-POSTGRESQL_VERSION = 11.2
+POSTGRESQL_VERSION = 11.3
 POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
 POSTGRESQL_SITE = http://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
 POSTGRESQL_LICENSE = PostgreSQL