diff options
Diffstat (limited to 'meta-oe')
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch | 13 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch | 9 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch (renamed from meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch) | 22 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch | 116 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch | 131 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch | 17 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/postgresql.inc | 29 | ||||
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/postgresql_14.1.bb (renamed from meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb) | 6 |
8 files changed, 57 insertions, 286 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index 0dc6ece6d..90b741949 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b06a228a5fd1589fc9bed654b3288b321fc21aa1 Mon Sep 17 00:00:00 2001 | 1 | From 780fd27ea6f7f2c446c46a7a5e26d94106c67efd Mon Sep 17 00:00:00 2001 |
2 | From: "Richard W.M. Jones" <rjones@redhat.com> | 2 | From: "Richard W.M. Jones" <rjones@redhat.com> |
3 | Date: Sun, 20 Nov 2016 15:04:52 +0000 | 3 | Date: Sun, 20 Nov 2016 15:04:52 +0000 |
4 | Subject: [PATCH] Add support for RISC-V. | 4 | Subject: [PATCH] Add support for RISC-V. |
@@ -9,9 +9,11 @@ extending the existing aarch64 macro works. | |||
9 | src/include/storage/s_lock.h | 5 +++-- | 9 | src/include/storage/s_lock.h | 5 +++-- |
10 | 1 file changed, 3 insertions(+), 2 deletions(-) | 10 | 1 file changed, 3 insertions(+), 2 deletions(-) |
11 | 11 | ||
12 | diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h | ||
13 | index dccbd29..ad60429 100644 | ||
12 | --- a/src/include/storage/s_lock.h | 14 | --- a/src/include/storage/s_lock.h |
13 | +++ b/src/include/storage/s_lock.h | 15 | +++ b/src/include/storage/s_lock.h |
14 | @@ -316,11 +316,12 @@ tas(volatile slock_t *lock) | 16 | @@ -317,11 +317,12 @@ tas(volatile slock_t *lock) |
15 | 17 | ||
16 | /* | 18 | /* |
17 | * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available. | 19 | * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available. |
@@ -25,7 +27,7 @@ extending the existing aarch64 macro works. | |||
25 | #ifdef HAVE_GCC__SYNC_INT32_TAS | 27 | #ifdef HAVE_GCC__SYNC_INT32_TAS |
26 | #define HAS_TEST_AND_SET | 28 | #define HAS_TEST_AND_SET |
27 | 29 | ||
28 | @@ -337,7 +338,7 @@ tas(volatile slock_t *lock) | 30 | @@ -338,7 +339,7 @@ tas(volatile slock_t *lock) |
29 | #define S_UNLOCK(lock) __sync_lock_release(lock) | 31 | #define S_UNLOCK(lock) __sync_lock_release(lock) |
30 | 32 | ||
31 | #endif /* HAVE_GCC__SYNC_INT32_TAS */ | 33 | #endif /* HAVE_GCC__SYNC_INT32_TAS */ |
@@ -33,4 +35,7 @@ extending the existing aarch64 macro works. | |||
33 | +#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ | 35 | +#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ |
34 | 36 | ||
35 | 37 | ||
36 | /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ | 38 | /* |
39 | -- | ||
40 | 2.34.1 | ||
41 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch index e9bc6240d..02f4c9e51 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 71fbee3888ee889a269eded5585ed7591bcbe9dd Mon Sep 17 00:00:00 2001 | 1 | From bbba8a5261a99e79c9cd4693ef56021014a9856b Mon Sep 17 00:00:00 2001 |
2 | From: Changqing Li <changqing.li@windriver.com> | 2 | From: Changqing Li <changqing.li@windriver.com> |
3 | Date: Mon, 28 Dec 2020 16:38:21 +0800 | 3 | Date: Mon, 28 Dec 2020 16:38:21 +0800 |
4 | Subject: [PATCH] Improve reproducibility, | 4 | Subject: [PATCH] Improve reproducibility, |
@@ -22,9 +22,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> | |||
22 | src/common/Makefile | 3 --- | 22 | src/common/Makefile | 3 --- |
23 | 1 file changed, 3 deletions(-) | 23 | 1 file changed, 3 deletions(-) |
24 | 24 | ||
25 | diff --git a/src/common/Makefile b/src/common/Makefile | ||
26 | index 880722f..7a9b9d4 100644 | ||
25 | --- a/src/common/Makefile | 27 | --- a/src/common/Makefile |
26 | +++ b/src/common/Makefile | 28 | +++ b/src/common/Makefile |
27 | @@ -31,9 +31,6 @@ include $(top_builddir)/src/Makefile.glo | 29 | @@ -31,9 +31,6 @@ include $(top_builddir)/src/Makefile.global |
28 | # don't include subdirectory-path-dependent -I and -L switches | 30 | # don't include subdirectory-path-dependent -I and -L switches |
29 | STD_CPPFLAGS := $(filter-out -I$(top_srcdir)/src/include -I$(top_builddir)/src/include,$(CPPFLAGS)) | 31 | STD_CPPFLAGS := $(filter-out -I$(top_srcdir)/src/include -I$(top_builddir)/src/include,$(CPPFLAGS)) |
30 | STD_LDFLAGS := $(filter-out -L$(top_builddir)/src/common -L$(top_builddir)/src/port,$(LDFLAGS)) | 32 | STD_LDFLAGS := $(filter-out -L$(top_builddir)/src/common -L$(top_builddir)/src/port,$(LDFLAGS)) |
@@ -34,3 +36,6 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> | |||
34 | override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" | 36 | override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" |
35 | override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" | 37 | override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" |
36 | override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" | 38 | override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" |
39 | -- | ||
40 | 2.34.1 | ||
41 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch index db9769f82..3d969cc7e 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From eba2c940afcd83521f591ccf6b49eca06908ea8e Mon Sep 17 00:00:00 2001 | 1 | From 053e8fc51bd9688100ce284a9c7afab88656386f Mon Sep 17 00:00:00 2001 |
2 | From: Yi Fan Yu <yifan.yu@windriver.com> | 2 | From: Yi Fan Yu <yifan.yu@windriver.com> |
3 | Date: Fri, 5 Feb 2021 17:15:42 -0500 | 3 | Date: Fri, 5 Feb 2021 17:15:42 -0500 |
4 | Subject: [PATCH] configure.in: bypass autoconf 2.69 version check | 4 | Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check |
5 | 5 | ||
6 | for upgrade to autoconf 2.71 | 6 | for upgrade to autoconf 2.71 |
7 | 7 | ||
@@ -9,24 +9,24 @@ Upstream-Status: Inappropriate [disable feature] | |||
9 | 9 | ||
10 | Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> | 10 | Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> |
11 | --- | 11 | --- |
12 | configure.in | 4 ---- | 12 | configure.ac | 4 ---- |
13 | 1 file changed, 4 deletions(-) | 13 | 1 file changed, 4 deletions(-) |
14 | 14 | ||
15 | diff --git a/configure.in b/configure.in | 15 | diff --git a/configure.ac b/configure.ac |
16 | index fb14dcc..a2b4a4f 100644 | 16 | index 7170f26..daf85b9 100644 |
17 | --- a/configure.in | 17 | --- a/configure.ac |
18 | +++ b/configure.in | 18 | +++ b/configure.ac |
19 | @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros | 19 | @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros |
20 | 20 | ||
21 | AC_INIT([PostgreSQL], [13.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) | 21 | AC_INIT([PostgreSQL], [14.1], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) |
22 | 22 | ||
23 | -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. | 23 | -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. |
24 | -Untested combinations of 'autoconf' and PostgreSQL versions are not | 24 | -Untested combinations of 'autoconf' and PostgreSQL versions are not |
25 | -recommended. You can remove the check from 'configure.in' but it is then | 25 | -recommended. You can remove the check from 'configure.ac' but it is then |
26 | -your responsibility whether the result works or not.])]) | 26 | -your responsibility whether the result works or not.])]) |
27 | AC_COPYRIGHT([Copyright (c) 1996-2020, PostgreSQL Global Development Group]) | 27 | AC_COPYRIGHT([Copyright (c) 1996-2021, PostgreSQL Global Development Group]) |
28 | AC_CONFIG_SRCDIR([src/backend/access/common/heaptuple.c]) | 28 | AC_CONFIG_SRCDIR([src/backend/access/common/heaptuple.c]) |
29 | AC_CONFIG_AUX_DIR(config) | 29 | AC_CONFIG_AUX_DIR(config) |
30 | -- | 30 | -- |
31 | 2.17.1 | 31 | 2.34.1 |
32 | 32 | ||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch deleted file mode 100644 index 58bf81062..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch +++ /dev/null | |||
@@ -1,116 +0,0 @@ | |||
1 | From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Lane <tgl@sss.pgh.pa.us> | ||
3 | Date: Mon, 8 Nov 2021 11:01:43 -0500 | ||
4 | Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption | ||
5 | handshake. | ||
6 | |||
7 | The server collects up to a bufferload of data whenever it reads data | ||
8 | from the client socket. When SSL or GSS encryption is requested | ||
9 | during startup, any additional data received with the initial | ||
10 | request message remained in the buffer, and would be treated as | ||
11 | already-decrypted data once the encryption handshake completed. | ||
12 | Thus, a man-in-the-middle with the ability to inject data into the | ||
13 | TCP connection could stuff some cleartext data into the start of | ||
14 | a supposedly encryption-protected database session. | ||
15 | |||
16 | This could be abused to send faked SQL commands to the server, | ||
17 | although that would only work if the server did not demand any | ||
18 | authentication data. (However, a server relying on SSL certificate | ||
19 | authentication might well not do so.) | ||
20 | |||
21 | To fix, throw a protocol-violation error if the internal buffer | ||
22 | is not empty after the encryption handshake. | ||
23 | |||
24 | Our thanks to Jacob Champion for reporting this problem. | ||
25 | |||
26 | Security: CVE-2021-23214 | ||
27 | |||
28 | Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951] | ||
29 | CVE: CVE-2021-23214 | ||
30 | |||
31 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
32 | |||
33 | --- | ||
34 | src/backend/libpq/pqcomm.c | 11 +++++++++++ | ||
35 | src/backend/postmaster/postmaster.c | 23 ++++++++++++++++++++++- | ||
36 | src/include/libpq/libpq.h | 1 + | ||
37 | 3 files changed, 34 insertions(+), 1 deletion(-) | ||
38 | |||
39 | diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c | ||
40 | index ee2cd86..4dd1c02 100644 | ||
41 | --- a/src/backend/libpq/pqcomm.c | ||
42 | +++ b/src/backend/libpq/pqcomm.c | ||
43 | @@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s) | ||
44 | } | ||
45 | } | ||
46 | |||
47 | +/* ------------------------------- | ||
48 | + * pq_buffer_has_data - is any buffered data available to read? | ||
49 | + * | ||
50 | + * This will *not* attempt to read more data. | ||
51 | + * -------------------------------- | ||
52 | + */ | ||
53 | +bool | ||
54 | +pq_buffer_has_data(void) | ||
55 | +{ | ||
56 | + return (PqRecvPointer < PqRecvLength); | ||
57 | +} | ||
58 | |||
59 | /* -------------------------------- | ||
60 | * pq_startmsgread - begin reading a message from the client. | ||
61 | diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c | ||
62 | index 5775fc0..1fcc3f8 100644 | ||
63 | --- a/src/backend/postmaster/postmaster.c | ||
64 | +++ b/src/backend/postmaster/postmaster.c | ||
65 | @@ -2049,6 +2049,17 @@ retry1: | ||
66 | return STATUS_ERROR; | ||
67 | #endif | ||
68 | |||
69 | + /* | ||
70 | + * At this point we should have no data already buffered. If we do, | ||
71 | + * it was received before we performed the SSL handshake, so it wasn't | ||
72 | + * encrypted and indeed may have been injected by a man-in-the-middle. | ||
73 | + * We report this case to the client. | ||
74 | + */ | ||
75 | + if (pq_buffer_has_data()) | ||
76 | + ereport(FATAL, | ||
77 | + (errcode(ERRCODE_PROTOCOL_VIOLATION), | ||
78 | + errmsg("received unencrypted data after SSL request"), | ||
79 | + errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack."))); | ||
80 | /* | ||
81 | * regular startup packet, cancel, etc packet should follow, but not | ||
82 | * another SSL negotiation request, and a GSS request should only | ||
83 | @@ -2080,7 +2091,17 @@ retry1: | ||
84 | if (GSSok == 'G' && secure_open_gssapi(port) == -1) | ||
85 | return STATUS_ERROR; | ||
86 | #endif | ||
87 | - | ||
88 | + /* | ||
89 | + * At this point we should have no data already buffered. If we do, | ||
90 | + * it was received before we performed the GSS handshake, so it wasn't | ||
91 | + * encrypted and indeed may have been injected by a man-in-the-middle. | ||
92 | + * We report this case to the client. | ||
93 | + */ | ||
94 | + if (pq_buffer_has_data()) | ||
95 | + ereport(FATAL, | ||
96 | + (errcode(ERRCODE_PROTOCOL_VIOLATION), | ||
97 | + errmsg("received unencrypted data after GSSAPI encryption request"), | ||
98 | + errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack."))); | ||
99 | /* | ||
100 | * regular startup packet, cancel, etc packet should follow, but not | ||
101 | * another GSS negotiation request, and an SSL request should only | ||
102 | diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h | ||
103 | index b115247..9969692 100644 | ||
104 | --- a/src/include/libpq/libpq.h | ||
105 | +++ b/src/include/libpq/libpq.h | ||
106 | @@ -73,6 +73,7 @@ extern int pq_getbyte(void); | ||
107 | extern int pq_peekbyte(void); | ||
108 | extern int pq_getbyte_if_available(unsigned char *c); | ||
109 | extern int pq_putbytes(const char *s, size_t len); | ||
110 | +extern bool pq_buffer_has_data(void); | ||
111 | |||
112 | /* | ||
113 | * prototypes for functions in be-secure.c | ||
114 | -- | ||
115 | 2.17.1 | ||
116 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch deleted file mode 100644 index 42b78539b..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch +++ /dev/null | |||
@@ -1,131 +0,0 @@ | |||
1 | From 79125ead2a6a234086844bb42f06d49603fe6ca0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Lane <tgl@sss.pgh.pa.us> | ||
3 | Date: Mon, 8 Nov 2021 11:14:56 -0500 | ||
4 | Subject: [PATCH 1/2] libpq: reject extraneous data after SSL or GSS encryption | ||
5 | handshake. | ||
6 | |||
7 | libpq collects up to a bufferload of data whenever it reads data from | ||
8 | the socket. When SSL or GSS encryption is requested during startup, | ||
9 | any additional data received with the server's yes-or-no reply | ||
10 | remained in the buffer, and would be treated as already-decrypted data | ||
11 | once the encryption handshake completed. Thus, a man-in-the-middle | ||
12 | with the ability to inject data into the TCP connection could stuff | ||
13 | some cleartext data into the start of a supposedly encryption-protected | ||
14 | database session. | ||
15 | |||
16 | This could probably be abused to inject faked responses to the | ||
17 | client's first few queries, although other details of libpq's behavior | ||
18 | make that harder than it sounds. A different line of attack is to | ||
19 | exfiltrate the client's password, or other sensitive data that might | ||
20 | be sent early in the session. That has been shown to be possible with | ||
21 | a server vulnerable to CVE-2021-23214. | ||
22 | |||
23 | To fix, throw a protocol-violation error if the internal buffer | ||
24 | is not empty after the encryption handshake. | ||
25 | |||
26 | Our thanks to Jacob Champion for reporting this problem. | ||
27 | |||
28 | Security: CVE-2021-23222 | ||
29 | |||
30 | Upstream-Status: Backport[https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45] | ||
31 | CVE: CVE-2021-23222 | ||
32 | |||
33 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
34 | --- | ||
35 | doc/src/sgml/protocol.sgml | 28 ++++++++++++++++++++++++++++ | ||
36 | src/interfaces/libpq/fe-connect.c | 26 ++++++++++++++++++++++++++ | ||
37 | 2 files changed, 54 insertions(+) | ||
38 | |||
39 | diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml | ||
40 | index e26619e1b5..b692648fca 100644 | ||
41 | --- a/doc/src/sgml/protocol.sgml | ||
42 | +++ b/doc/src/sgml/protocol.sgml | ||
43 | @@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional --> | ||
44 | and proceed without requesting <acronym>SSL</acronym>. | ||
45 | </para> | ||
46 | |||
47 | + <para> | ||
48 | + When <acronym>SSL</acronym> encryption can be performed, the server | ||
49 | + is expected to send only the single <literal>S</literal> byte and then | ||
50 | + wait for the frontend to initiate an <acronym>SSL</acronym> handshake. | ||
51 | + If additional bytes are available to read at this point, it likely | ||
52 | + means that a man-in-the-middle is attempting to perform a | ||
53 | + buffer-stuffing attack | ||
54 | + (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>). | ||
55 | + Frontends should be coded either to read exactly one byte from the | ||
56 | + socket before turning the socket over to their SSL library, or to | ||
57 | + treat it as a protocol violation if they find they have read additional | ||
58 | + bytes. | ||
59 | + </para> | ||
60 | + | ||
61 | <para> | ||
62 | An initial SSLRequest can also be used in a connection that is being | ||
63 | opened to send a CancelRequest message. | ||
64 | @@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional --> | ||
65 | encryption. | ||
66 | </para> | ||
67 | |||
68 | + <para> | ||
69 | + When <acronym>GSSAPI</acronym> encryption can be performed, the server | ||
70 | + is expected to send only the single <literal>G</literal> byte and then | ||
71 | + wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake. | ||
72 | + If additional bytes are available to read at this point, it likely | ||
73 | + means that a man-in-the-middle is attempting to perform a | ||
74 | + buffer-stuffing attack | ||
75 | + (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>). | ||
76 | + Frontends should be coded either to read exactly one byte from the | ||
77 | + socket before turning the socket over to their GSSAPI library, or to | ||
78 | + treat it as a protocol violation if they find they have read additional | ||
79 | + bytes. | ||
80 | + </para> | ||
81 | + | ||
82 | <para> | ||
83 | An initial GSSENCRequest can also be used in a connection that is being | ||
84 | opened to send a CancelRequest message. | ||
85 | diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c | ||
86 | index f80f4e98d8..57aee95183 100644 | ||
87 | --- a/src/interfaces/libpq/fe-connect.c | ||
88 | +++ b/src/interfaces/libpq/fe-connect.c | ||
89 | @@ -3076,6 +3076,19 @@ keep_going: /* We will come back to here until there is | ||
90 | pollres = pqsecure_open_client(conn); | ||
91 | if (pollres == PGRES_POLLING_OK) | ||
92 | { | ||
93 | + /* | ||
94 | + * At this point we should have no data already buffered. | ||
95 | + * If we do, it was received before we performed the SSL | ||
96 | + * handshake, so it wasn't encrypted and indeed may have | ||
97 | + * been injected by a man-in-the-middle. | ||
98 | + */ | ||
99 | + if (conn->inCursor != conn->inEnd) | ||
100 | + { | ||
101 | + appendPQExpBufferStr(&conn->errorMessage, | ||
102 | + libpq_gettext("received unencrypted data after SSL response\n")); | ||
103 | + goto error_return; | ||
104 | + } | ||
105 | + | ||
106 | /* SSL handshake done, ready to send startup packet */ | ||
107 | conn->status = CONNECTION_MADE; | ||
108 | return PGRES_POLLING_WRITING; | ||
109 | @@ -3175,6 +3188,19 @@ keep_going: /* We will come back to here until there is | ||
110 | pollres = pqsecure_open_gss(conn); | ||
111 | if (pollres == PGRES_POLLING_OK) | ||
112 | { | ||
113 | + /* | ||
114 | + * At this point we should have no data already buffered. | ||
115 | + * If we do, it was received before we performed the GSS | ||
116 | + * handshake, so it wasn't encrypted and indeed may have | ||
117 | + * been injected by a man-in-the-middle. | ||
118 | + */ | ||
119 | + if (conn->inCursor != conn->inEnd) | ||
120 | + { | ||
121 | + appendPQExpBufferStr(&conn->errorMessage, | ||
122 | + libpq_gettext("received unencrypted data after GSSAPI encryption response\n")); | ||
123 | + goto error_return; | ||
124 | + } | ||
125 | + | ||
126 | /* All set for startup packet */ | ||
127 | conn->status = CONNECTION_MADE; | ||
128 | return PGRES_POLLING_WRITING; | ||
129 | -- | ||
130 | 2.17.1 | ||
131 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch index ba2ee29f0..fa46912ee 100644 --- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch +++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | From 7e2af4de19be58bc9d551c41ce2750396d357f34 Mon Sep 17 00:00:00 2001 | 1 | From 56b830edecff1cac5f8a8a956e7a7eeef2aa7c17 Mon Sep 17 00:00:00 2001 |
2 | From: Changqing Li <changqing.li@windriver.com> | 2 | From: Changqing Li <changqing.li@windriver.com> |
3 | Date: Tue, 27 Nov 2018 13:25:15 +0800 | 3 | Date: Tue, 27 Nov 2018 13:25:15 +0800 |
4 | Subject: [PATCH] PATCH] not check libperl under cross compiling | 4 | Subject: [PATCH] not check libperl under cross compiling |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [configuration] | 6 | Upstream-Status: Inappropriate [configuration] |
7 | 7 | ||
@@ -16,12 +16,14 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com> | |||
16 | update patch to version 11.1 | 16 | update patch to version 11.1 |
17 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | 17 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
18 | --- | 18 | --- |
19 | configure.in | 2 +- | 19 | configure.ac | 2 +- |
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | 20 | 1 file changed, 1 insertion(+), 1 deletion(-) |
21 | 21 | ||
22 | --- a/configure.in | 22 | diff --git a/configure.ac b/configure.ac |
23 | +++ b/configure.in | 23 | index fba79ee..7170f26 100644 |
24 | @@ -2206,7 +2206,7 @@ Use --without-tcl to disable building PL | 24 | --- a/configure.ac |
25 | +++ b/configure.ac | ||
26 | @@ -2261,7 +2261,7 @@ Use --without-tcl to disable building PL/Tcl.]) | ||
25 | fi | 27 | fi |
26 | 28 | ||
27 | # check for <perl.h> | 29 | # check for <perl.h> |
@@ -30,3 +32,6 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> | |||
30 | ac_save_CPPFLAGS=$CPPFLAGS | 32 | ac_save_CPPFLAGS=$CPPFLAGS |
31 | CPPFLAGS="$CPPFLAGS $perl_includespec" | 33 | CPPFLAGS="$CPPFLAGS $perl_includespec" |
32 | AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file <perl.h> is required for Perl])], | 34 | AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file <perl.h> is required for Perl])], |
35 | -- | ||
36 | 2.34.1 | ||
37 | |||
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql.inc b/meta-oe/recipes-dbs/postgresql/postgresql.inc index e609ac33e..257d27b11 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql.inc +++ b/meta-oe/recipes-dbs/postgresql/postgresql.inc | |||
@@ -19,11 +19,11 @@ DESCRIPTION = "\ | |||
19 | " | 19 | " |
20 | HOMEPAGE = "http://www.postgresql.com" | 20 | HOMEPAGE = "http://www.postgresql.com" |
21 | LICENSE = "BSD-0-Clause" | 21 | LICENSE = "BSD-0-Clause" |
22 | DEPENDS = "libnsl2 zlib readline tzcode-native" | 22 | DEPENDS = "libnsl2 readline tzcode-native" |
23 | 23 | ||
24 | ARM_INSTRUCTION_SET = "arm" | 24 | ARM_INSTRUCTION_SET = "arm" |
25 | 25 | ||
26 | SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \ | 26 | SRC_URI = "https://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \ |
27 | file://postgresql.init \ | 27 | file://postgresql.init \ |
28 | file://postgresql-profile \ | 28 | file://postgresql-profile \ |
29 | file://postgresql.pam \ | 29 | file://postgresql.pam \ |
@@ -43,7 +43,6 @@ CFLAGS += "-I${STAGING_INCDIR}/${PYTHON_DIR} -I${STAGING_INCDIR}/tcl8.6" | |||
43 | SYSTEMD_SERVICE:${PN} = "postgresql.service" | 43 | SYSTEMD_SERVICE:${PN} = "postgresql.service" |
44 | SYSTEMD_AUTO_ENABLE:${PN} = "disable" | 44 | SYSTEMD_AUTO_ENABLE:${PN} = "disable" |
45 | 45 | ||
46 | DEPENDS:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-systemctl-native', '', d)}" | ||
47 | pkg_postinst:${PN} () { | 46 | pkg_postinst:${PN} () { |
48 | if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd sysvinit', 'true', 'false', d)}; then | 47 | if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd sysvinit', 'true', 'false', d)}; then |
49 | if [ -n "$D" ]; then | 48 | if [ -n "$D" ]; then |
@@ -53,23 +52,29 @@ pkg_postinst:${PN} () { | |||
53 | fi | 52 | fi |
54 | } | 53 | } |
55 | 54 | ||
56 | enable_pam = "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" | 55 | PACKAGECONFIG ??= " \ |
57 | PACKAGECONFIG ??= "${enable_pam} openssl python uuid libxml tcl nls libxml perl" | 56 | ${@bb.utils.filter('DISTRO_FEATURES', 'pam systemd', d)} \ |
58 | PACKAGECONFIG[pam] = "--with-pam,--without-pam,libpam," | 57 | openssl python uuid libxml tcl perl zlib \ |
59 | PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl ac_cv_file__dev_urandom=yes,openssl," | 58 | " |
60 | PACKAGECONFIG[python] = "--with-python,--without-python,python3,python3" | ||
61 | PACKAGECONFIG[uuid] = "--with-uuid=e2fs,--without-uuid,util-linux," | ||
62 | PACKAGECONFIG[tcl] = "--with-tcl --with-tclconfig=${STAGING_BINDIR_CROSS},--without-tcl,tcl tcl-native," | 59 | PACKAGECONFIG[tcl] = "--with-tcl --with-tclconfig=${STAGING_BINDIR_CROSS},--without-tcl,tcl tcl-native," |
63 | PACKAGECONFIG[nls] = "--enable-nls,--disable-nls,," | ||
64 | PACKAGECONFIG[libxml] = "--with-libxml,--without-libxml,libxml2,libxml2" | ||
65 | PACKAGECONFIG[perl] = "--with-perl,--without-perl,perl,perl" | 60 | PACKAGECONFIG[perl] = "--with-perl,--without-perl,perl,perl" |
61 | PACKAGECONFIG[python] = "--with-python,--without-python,python3,python3" | ||
62 | PACKAGECONFIG[gssapi] = "--with-gssapi,--without-gssapi,krb5" | ||
63 | PACKAGECONFIG[pam] = "--with-pam,--without-pam,libpam" | ||
64 | PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap" | ||
65 | PACKAGECONFIG[systemd] = "--with-systemd,--without-systemd,systemd systemd-systemctl-native" | ||
66 | PACKAGECONFIG[uuid] = "--with-uuid=e2fs,--without-uuid,util-linux" | ||
67 | PACKAGECONFIG[libxml] = "--with-libxml,--without-libxml,libxml2,libxml2" | ||
68 | PACKAGECONFIG[libxslt] = "--with-libxslt,--without-libxslt,libxslt" | ||
69 | PACKAGECONFIG[zlib] = "--with-zlib,--without-zlib,zlib" | ||
70 | PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4" | ||
71 | PACKAGECONFIG[openssl] = "--with-ssl=openssl,ac_cv_file__dev_urandom=yes,openssl" | ||
66 | 72 | ||
67 | EXTRA_OECONF += "--enable-thread-safety --disable-rpath \ | 73 | EXTRA_OECONF += "--enable-thread-safety --disable-rpath \ |
68 | --datadir=${datadir}/${BPN} \ | 74 | --datadir=${datadir}/${BPN} \ |
69 | --sysconfdir=${sysconfdir}/${BPN} \ | 75 | --sysconfdir=${sysconfdir}/${BPN} \ |
70 | " | 76 | " |
71 | EXTRA_OECONF:sh4 += "--disable-spinlocks" | 77 | EXTRA_OECONF:sh4 += "--disable-spinlocks" |
72 | EXTRA_OECONF:aarch64 += "--disable-spinlocks" | ||
73 | 78 | ||
74 | DEBUG_OPTIMIZATION:remove:mips = " -Og" | 79 | DEBUG_OPTIMIZATION:remove:mips = " -Og" |
75 | DEBUG_OPTIMIZATION:append:mips = " -O" | 80 | DEBUG_OPTIMIZATION:append:mips = " -O" |
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.1.bb index 2ed0fa49b..1112cc21d 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.1.bb | |||
@@ -6,9 +6,7 @@ SRC_URI += "\ | |||
6 | file://not-check-libperl.patch \ | 6 | file://not-check-libperl.patch \ |
7 | file://0001-Add-support-for-RISC-V.patch \ | 7 | file://0001-Add-support-for-RISC-V.patch \ |
8 | file://0001-Improve-reproducibility.patch \ | 8 | file://0001-Improve-reproducibility.patch \ |
9 | file://0001-configure.in-bypass-autoconf-2.69-version-check.patch \ | 9 | file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \ |
10 | file://CVE-2021-23214.patch \ | ||
11 | file://CVE-2021-23222.patch \ | ||
12 | " | 10 | " |
13 | 11 | ||
14 | SRC_URI[sha256sum] = "ea93e10390245f1ce461a54eb5f99a48d8cabd3a08ce4d652ec2169a357bc0cd" | 12 | SRC_URI[sha256sum] = "4d3c101ea7ae38982f06bdc73758b53727fb6402ecd9382006fa5ecc7c2ca41f" |