Subject: pkg/30638: postgresql74-server security update
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <geert.hendrickx@ua.ac.be>
List: pkgsrc-bugs
Date: 06/30/2005 09:23:00
>Number:         30638
>Category:       pkg
>Synopsis:       postgresql74-server security update
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 30 09:23:00 +0000 2005
>Originator:     Geert Hendrickx
>Release:        
>Organization:
>Environment:
>Description:
postgresql74-server (version 7.4.7) has been flagged as vulnerable for a
while now (also in pkgsrc-2005Q5), however an update (version 7.4.8) has
been released by PostgreSQL more than a month ago.  
>How-To-Repeat:

>Fix:
Here are the diffs to update the postgresql74-* packages to 7.4.8.  The
only real difference (to pkgsrc) is that our postgresql74/patches/patch-ah
has now been applied upstream, so that patch doesn't apply anymore, and of 
course that postgresql74-7.4.8 is not vulnerable anymore. :-)

postgresql74-libs, -client, -server and -doc build fine with these patches.


--- databases/postgresql74/Makefile.common      2005-05-22 22:07:46.000000000 +0200
+++ databases/postgresql74/Makefile.common   2005-06-29 11:39:35.000000000 +0200
@@ -36,7 +36,7 @@
 # BASE_VERS            pkgsrc-mangled version number (convert pl -> .)
 #
 # Note: Do not forget jdbc-postgresql when updating version
-DIST_VERS?=            7.4.7
+DIST_VERS?=            7.4.8
 BASE_VERS?=            ${DIST_VERS}
   
 BUILDLINK_DEPENDS.postgresql74-lib?=   postgresql74-lib>=${BASE_VERS}

--- databases/postgresql74/distinfo     2005-03-17 23:35:48.000000000 +0100
+++ databases/postgresql74/distinfo  2005-06-29 11:59:15.000000000 +0200
@@ -1,8 +1,8 @@
 $NetBSD: distinfo,v 1.17 2005/03/17 22:35:48 jschauma Exp $

-SHA1 (postgresql-7.4.7.tar.bz2) = 48fe9187ae1776265756b807254552b4f6bcfcb8
-RMD160 (postgresql-7.4.7.tar.bz2) = 1bbb64c8a9b95cafe0254a0994752b8bbb624346
-Size (postgresql-7.4.7.tar.bz2) = 10235394 bytes
+SHA1 (postgresql-7.4.8.tar.bz2) = a565ff14e1a3b58a151b219bcffcf53dfc62ec41
+RMD160 (postgresql-7.4.8.tar.bz2) = 3ee8c70e0506e2a49bae20bc2282391513ee9d65
+Size (postgresql-7.4.8.tar.bz2) = 10235413 bytes
 SHA1 (patch-aa) = 626b4b4bf0d47913072399535c55d413b90675a4
 SHA1 (patch-ab) = f44a544c56452bad197a88cb827e88624c54656c
 SHA1 (patch-ac) = 81ef677cc5d196762b6cc3c3e38dee4a37e75ac2
@@ -10,4 +10,3 @@
 SHA1 (patch-ae) = f0e0ad98ebdc972e7c40afd805fbb0d909d5ef3b
 SHA1 (patch-af) = 7373db75fda125b980f2ead990719798c0d22a48
 SHA1 (patch-ag) = a983f23b5e47a4c2f31ba284ff3db51b53cf8414
-SHA1 (patch-ah) = 4cc4e45679284815c32a5ff3b461b12df55d07c2

Only in databases/postgresql74/patches: patch-ah