<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-openembedded.git/meta-oe/recipes-support/postgresql, branch fido</title>
<subtitle>Mirror of git.openembedded.org/meta-openembedded</subtitle>
<id>https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=fido</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=fido'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/'/>
<updated>2014-11-07T14:05:45+00:00</updated>
<entry>
<title>postgresql: add fix for CVE-2014-0065 and CVE-2014-0066 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=ffb649d04322db8c3e218ee1a4499e202657375d'/>
<id>urn:sha1:ffb649d04322db8c3e218ee1a4499e202657375d</id>
<content type='text'>
Coverity identified a number of places in which it couldn't prove that a
string being copied into a fixed-size buffer would fit.  We believe that
most, perhaps all of these are in fact safe, or are copying data that is
coming from a trusted source so that any overrun is not really a
security issue.  Nonetheless it seems prudent to forestall any risk by
using strlcpy() and similar functions.

Fixes by Peter Eisentraut and Jozef Mlich based on Coverity reports.

In addition, fix a potential null-pointer-dereference crash in
contrib/chkpass.  The crypt(3) function is defined to return NULL on
failure, but chkpass.c didn't check for that before using the result.
The main practical case in which this could be an issue is if libc is
configured to refuse to execute unapproved hashing algorithms (e.g.,
"FIPS mode").  This ideally should've been a separate commit, but since
it touches code adjacent to one of the buffer overrun changes, I
included it in this commit to avoid last-minute merge issues.  This
issue was reported by Honza Horak.

Security: CVE-2014-0065 for buffer overruns, CVE-2014-0066 for crypt()

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0065
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0066

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add fix for CVE-2014-0067 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=59e457955474385b3ca47488ca0028fc72869b7f'/>
<id>urn:sha1:59e457955474385b3ca47488ca0028fc72869b7f</id>
<content type='text'>
The make check command for the test suites in PostgreSQL 9.3.3 and
earlier does not properly invoke initdb to specify the authentication
requirements for a database cluster to be used for the tests, which
allows local users to gain privileges by leveraging access to this
cluster.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0067

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add fix for CVE-2014-0063 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=f1978efac9fa2aec041e92b9d6f8f61bf48dace6'/>
<id>urn:sha1:f1978efac9fa2aec041e92b9d6f8f61bf48dace6</id>
<content type='text'>
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x
before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before
9.3.3 allow remote authenticated users to cause a denial of service
(crash) or possibly execute arbitrary code via vectors related to an
incorrect MAXDATELEN constant and datetime values involving (1)
intervals, (2) timestamps, or (3) timezones, a different vulnerability
than CVE-2014-0065.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0063

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add fix for CVE-2014-0062 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=bd9378688e32c96e26b65c3f74724c7c7d81aada'/>
<id>urn:sha1:bd9378688e32c96e26b65c3f74724c7c7d81aada</id>
<content type='text'>
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE
commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before
9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote
authenticated users to create an unauthorized index or read portions of
unauthorized tables by creating or deleting a table with the same name
during the timing window.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0062

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add fix for CVE-2014-0061 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=30f8a0515a959ac4c45771b406fdcf01cc1aca1c'/>
<id>urn:sha1:30f8a0515a959ac4c45771b406fdcf01cc1aca1c</id>
<content type='text'>
The validator functions for the procedural languages (PLs) in PostgreSQL
before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before
9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain
privileges via a function that is (1) defined in another language or (2)
not allowed to be directly called by the user due to permissions.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0061

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add fix for CVE-2014-0060 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=b89271147deaa0a409a5626d98681bb6f16528e2'/>
<id>urn:sha1:b89271147deaa0a409a5626d98681bb6f16528e2</id>
<content type='text'>
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12,
9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the
ADMIN OPTION restriction, which allows remote authenticated members of a
role to add or remove arbitrary users to that role by calling the SET
ROLE command before the associated GRANT command.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0060

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add fix for CVE-2014-0064 Security Advisory</title>
<updated>2014-11-07T14:05:45+00:00</updated>
<author>
<name>Kang Kai</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2014-10-29T00:30:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=cd4cd791999f9684c1b9b50d4ce600d9e8dd423d'/>
<id>urn:sha1:cd4cd791999f9684c1b9b50d4ce600d9e8dd423d</id>
<content type='text'>
Multiple integer overflows in the path_in and other unspecified
functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before
9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote
authenticated users to have unspecified impact and attack vectors, which
trigger a buffer overflow. NOTE: this identifier has been SPLIT due to
different affected versions; use CVE-2014-2669 for the hstore vector.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0064

Signed-off-by: Yue Tao &lt;Yue.Tao@windriver.com&gt;
Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: add systemd unit file</title>
<updated>2014-09-26T03:41:53+00:00</updated>
<author>
<name>Chong.Lu@windriver.com</name>
<email>Chong.Lu@windriver.com</email>
</author>
<published>2014-09-16T09:36:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=711f3b8da8547b510235bfddfc6d4880017b7a37'/>
<id>urn:sha1:711f3b8da8547b510235bfddfc6d4880017b7a37</id>
<content type='text'>
Add systemd unit file for postgresql.
When 'sysvinit' and 'systemd' are both in DISTRO_FEATURES, we need to prevent
the init script from running via systemd.

Signed-off-by: Chong Lu &lt;Chong.Lu@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: move initdb to postgresql-setup</title>
<updated>2014-09-26T03:41:53+00:00</updated>
<author>
<name>Chong.Lu@windriver.com</name>
<email>Chong.Lu@windriver.com</email>
</author>
<published>2014-09-16T09:36:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=dfa0b4c86d69c14a4fc8f3bda225526ead3bcd51'/>
<id>urn:sha1:dfa0b4c86d69c14a4fc8f3bda225526ead3bcd51</id>
<content type='text'>
We shouldn't use sysvinit init script to initialize database when use systemd
as the init manager, so split initdb function to postgresql-setup.
Before starting postgresql server, we can use "postgresql-setup initdb" to
initialize the database cluster.

Signed-off-by: Chong Lu &lt;Chong.Lu@windriver.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
<entry>
<title>postgresql: Fix typo in PACKAGECONFIG[python] variable</title>
<updated>2014-08-21T19:35:06+00:00</updated>
<author>
<name>Bob Cochran</name>
<email>openembedded@mindchasers.com</email>
</author>
<published>2014-08-16T16:19:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=06ff090e19084c1637c3a1611bd96a48df3a9f1d'/>
<id>urn:sha1:06ff090e19084c1637c3a1611bd96a48df3a9f1d</id>
<content type='text'>
typo in extra argument to be added when feature is disabled

Signed-off-by: Bob Cochran &lt;openembedded@mindchasers.com&gt;
Signed-off-by: Martin Jansa &lt;Martin.Jansa@gmail.com&gt;
</content>
</entry>
</feed>
