CVSROOT: /cvs
Module name: ports
Changes by: st...@cvs.openbsd.org 2020/11/14 04:49:30
Modified files:
databases/postgresql: Tag: OPENBSD_6_8 Makefile distinfo
databases/postgresql/pkg: Tag: OPENBSD_6_8 PLIST-docs
Log message:
MFC security update to postgresql 12.5
CVE-2020-25695: Multiple features escape "security restricted operation" sandbox
CVE-2020-25694: Reconnection can downgrade connection security settings
CVE-2020-25696: psql's \gset allows overwriting specially treated variables
CVE-2020-25695 is serious; more info below. Notes for the others are at
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
Versions Affected: 9.5 - 13.
An attacker having permission to create non-temporary objects in at
least one schema can execute arbitrary SQL functions under the identity
of a superuser.
While promptly updating PostgreSQL is the best remediation for most
users, a user unable to do that can work around the vulnerability by
disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX,
CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from
output of the pg_dump command. Performance may degrade quickly under
this workaround.
VACUUM without the FULL option is safe, and all commands are fine when a
trusted user owns the target object.
