CVSROOT: /cvs Module name: ports Changes by: st...@cvs.openbsd.org 2020/11/14 04:49:30
Modified files: databases/postgresql: Tag: OPENBSD_6_8 Makefile distinfo databases/postgresql/pkg: Tag: OPENBSD_6_8 PLIST-docs Log message: MFC security update to postgresql 12.5 CVE-2020-25695: Multiple features escape "security restricted operation" sandbox CVE-2020-25694: Reconnection can downgrade connection security settings CVE-2020-25696: psql's \gset allows overwriting specially treated variables CVE-2020-25695 is serious; more info below. Notes for the others are at https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ Versions Affected: 9.5 - 13. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object.