/[ports]/head/databases/postgresql12-server/Makefile
ViewVC logotype

Contents of /head/databases/postgresql12-server/Makefile

Parent Directory Parent Directory | Revision Log Revision Log

Revision 544810 - (show annotations) (download)
Thu Aug 13 13:45:02 2020 UTC (3 years, 10 months ago) by girgen
File MIME type: text/plain
File size: 9014 byte(s) 
The PostgreSQL Global Development Group has released an update to all
supported versions of our database system, including 12.4, 11.9, 10.14,
9.6.19, and 9.5.23.

This release closes two security vulnerabilities and fixes over 50 bugs
reported over the last three months.

Please plan to update at your earliest convenience.

Security Issues
---------------

* CVE-2020-14349: Uncontrolled search path element in logical replication.

Versions Affected: 10 - 12.

The PostgreSQL `search_path` setting determines schemas searched for
tables, functions, operators, etc. The CVE-2018-1058 fix caused most
PostgreSQL-provided client applications to sanitize `search_path`, but
logical replication continued to leave `search_path` unchanged. Users of
a replication publisher or subscriber database can create objects in the
`public` schema and harness them to execute arbitrary SQL functions
under the identity running replication, often a superuser. Installations
having adopted a documented secure schema usage pattern are not vulnerable.

The PostgreSQL project thanks Noah Misch for reporting this problem.

* CVE-2020-14350: Uncontrolled search path element in `CREATE EXTENSION`.

Versions Affected: 9.5 - 12. The security team typically does not test
unsupported versions, but this problem is quite old.

When a superuser runs certain `CREATE EXTENSION` statements, users may
be able to execute arbitrary SQL functions under the identity of that
superuser. The attacker must have permission to create objects in the
new extension's schema or a schema of a prerequisite extension.  Not all
extensions are vulnerable.

In addition to correcting the extensions provided with PostgreSQL, the
PostgreSQL Global Development Group is issuing guidance for third-party
extension authors to secure their own work.

The PostgreSQL project thanks Andres Freund for reporting this problem.

Security:	CVE-2020-14349, CVE-2020-14350
1 # Created by: Marc G. Fournier <scrappy@FreeBSD.org>
2 # $FreeBSD$
3
4 PORTNAME?= postgresql
5 DISTVERSION?= 12.4
6 # PORTREVISION must be ?= otherwise, all slave ports get this PORTREVISION and
7 # not their own. Probably best to keep it at ?=0 when reset here too.
8 PORTREVISION?= 0
9 CATEGORIES?= databases
10 MASTER_SITES= PGSQL/source/v${DISTVERSION}
11 PKGNAMESUFFIX?= ${PORTVERSION:R}${COMPONENT}
12
13 MAINTAINER?= pgsql@FreeBSD.org
14 COMMENT?= PostgreSQL is the most advanced open-source database available anywhere
15
16 LICENSE= PostgreSQL
17
18 .if ${DISTVERSION:C/([0-9]*).*/\1/} >= 10
19 CONFLICTS+= ${PORTNAME}9* ${PORTNAME}1[^${PORTVERSION:R:C/.*([0-9]$)/\\1/}]*
20 .else
21 CONFLICTS+= ${PORTNAME}9[^${PORTVERSION:R:E}]* ${PORTNAME}1[0-9]*
22 .endif
23
24 WRKSRC= ${WRKDIR}/postgresql-${DISTVERSION}
25 DIST_SUBDIR= postgresql
26
27 OPTIONS_SUB= yes
28
29 PKGINSTALL?= ${PKGDIR}/pkg-install${COMPONENT}
30 USES+= tar:bzip2 cpe
31 .if !defined(NO_BUILD)
32 USES+= gmake
33 GNU_CONFIGURE= yes
34 .endif
35
36 PG_USER?= postgres
37 PG_GROUP?= postgres
38 PG_UID?= 770
39
40 LDFLAGS+= -L${LOCALBASE}/lib
41 INCLUDES+= -I${LOCALBASE}/include
42 CONFIGURE_ARGS+=--with-libraries=${PREFIX}/lib \
43 --with-includes=${PREFIX}/include \
44 --enable-thread-safety
45 CONFIGURE_ENV+= INCLUDES="${INCLUDES}" \
46 PTHREAD_LIBS="-lpthread" \
47 LDFLAGS_SL="${LDFLAGS_SL}"
48 LDFLAGS+= -lpthread
49 MAKE_ENV= MAKELEVEL=0
50
51 PLIST= ${PKGDIR}/pkg-plist${COMPONENT}
52
53 INSTALL_DIRS?= src/common src/timezone src/backend \
54 src/backend/utils/mb/conversion_procs \
55 src/backend/snowball src/backend/replication/libpqwalreceiver \
56 src/backend/replication/pgoutput \
57 src/bin/initdb src/bin/pg_ctl \
58 src/bin/pg_archivecleanup src/bin/pg_basebackup \
59 src/bin/pg_checksums \
60 src/bin/pg_controldata src/bin/pg_resetwal src/pl \
61 src/bin/pg_rewind \
62 src/bin/pg_test_fsync src/bin/pg_test_timing \
63 src/bin/pg_waldump src/bin/pg_upgrade
64
65 BUILD_DIRS?= src/port ${INSTALL_DIRS}
66 INSTALL_TARGET?=install-strip
67
68 .if !defined(CLIENT_ONLY) && !defined(SLAVE_ONLY)
69 SERVER_ONLY= yes
70 COMPONENT= -server
71 USE_RC_SUBR= postgresql
72 USES+= pgsql:${DISTVERSION:C/([0-9]\.?[0-9]).*/\1/g}
73 USERS= ${PG_USER}
74 GROUPS= ${PG_GROUP}
75 SUB_FILES+= 502.pgsql
76 .endif
77
78 .if defined(CLIENT_ONLY)
79 OPTIONS_DEFINE+=LIBEDIT DOCS
80 LIBEDIT_DESC= Use non-GPL libedit instead of readline
81 .else
82 MAKE_ENV+= PATH=${PREFIX}/bin:${PATH}
83 CONFIGURE_ENV+= PATH=${PREFIX}/bin:${PATH}
84 .endif
85
86 .if defined(SERVER_ONLY)
87 OPTIONS_DEFINE= DTRACE LDAP INTDATE TZDATA XML DOCS
88 LDAP_DESC= Build with LDAP authentication support
89 DTRACE_DESC= Build with DTrace probes
90 TZDATA_DESC= Use internal timezone database
91 XML_DESC= Build with XML data type
92
93 .if ${DISTVERSION:C/([0-9]*).*/\1/} >= 11
94 OPTIONS_DEFINE+= LLVM
95 LLVM_DESC= Build with support for JIT-compiling expressions
96 OPTIONS_DEFAULT+= ${OPTIONS_DEFAULT_${CHOSEN_COMPILER_TYPE}}
97 OPTIONS_DEFAULT_clang= LLVM
98 .endif
99
100 .if ${DISTVERSION:C/([0-9]*).*/\1/} < 10
101 # See http://people.freebsd.org/~girgen/postgresql-icu/README.html for more info
102 OPTIONS_DEFINE+= ICU
103 ICU_DESC= Use ICU for unicode collation
104 .else
105 CONFIGURE_ARGS+=--with-icu
106 LIB_DEPENDS+= libicudata.so:devel/icu
107 USES+= pkgconfig
108 .endif
109
110 # See http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/76999 for more info
111 # (requires dump/restore if modified.)
112 OPTIONS_DEFINE+= INTDATE
113 INTDATE_DESC= Builds with 64-bit date/time type
114 OPTIONS_DEFAULT+= INTDATE
115 .endif
116
117 .if !defined(SLAVE_ONLY)
118 OPTIONS_DEFINE+= NLS PAM GSSAPI OPTIMIZED_CFLAGS DEBUG DOCS
119 . if ${DISTVERSION:R} == 9.2 || ${DISTVERSION:R} == 9.3
120 OPTIONS_RADIO= KRB5
121 OPTIONS_RADIO_KRB5= MIT_KRB5 HEIMDAL_KRB5
122 . endif
123
124 KRB5_DESC= Build with kerberos provider support
125 NLS_DESC= Use internationalized messages
126 PAM_DESC= Build with PAM Support
127 MIT_KRB5_DESC= Build with MIT kerberos support
128 HEIMDAL_KRB5_DESC= Builds with Heimdal kerberos
129 GSSAPI_DESC= Build with GSSAPI support
130 OPTIMIZED_CFLAGS_DESC= Builds with compiler optimizations (-O3)
131
132 OPTIONS_DEFINE+= SSL
133 SSL_DESC= Build with OpenSSL support
134
135 OPTIONS_DEFAULT+= SSL
136 .endif # !SLAVE_ONLY
137
138 .if defined(CLIENT_ONLY)
139 LIBEDIT_CONFIGURE_ON+=--with-libedit-preferred
140 LIBEDIT_USES= libedit
141 LIBEDIT_USES_OFF= readline
142 .endif # CLIENT_ONLY
143
144 SSL_USES= ssl
145 SSL_CONFIGURE_WITH= openssl
146
147 PAM_CONFIGURE_WITH= pam
148
149 XML_CONFIGURE_WITH= libxml
150 XML_LIB_DEPENDS= libxml2.so:textproc/libxml2
151
152 TZDATA_CONFIGURE_OFF= --with-system-tzdata=/usr/share/zoneinfo
153
154 INTDATE_CONFIGURE_OFF= --disable-integer-datetimes
155
156 NLS_CONFIGURE_ENABLE= nls
157 NLS_USES= gettext
158
159 LDAP_CONFIGURE_WITH= ldap
160 LDAP_USE= OPENLDAP=yes
161
162 OPTIMIZED_CFLAGS_CFLAGS=-O3 -funroll-loops
163
164 DEBUG_CONFIGURE_ENABLE= debug
165
166 PLIST_SUB+= PG_USER=${PG_USER} \
167 PG_GROUP=${PG_GROUP}
168 SUB_LIST+= PG_GROUP=${PG_GROUP} \
169 PG_USER=${PG_USER} \
170 PG_UID=${PG_UID}
171
172 .include <bsd.port.options.mk>
173
174 .if ${ARCH} == "i386"
175 USES+= compiler:gcc-c++11-lib
176 .else
177 USES+= compiler
178 .endif
179
180 .if ${DISTVERSION:C/([0-9]*).*/\1/} >= 11
181 . if defined(SERVER_ONLY) && ${PORT_OPTIONS:MLLVM}
182 BUILD_DEPENDS+= llvm${LLVM_DEFAULT}>0:devel/llvm${LLVM_DEFAULT}
183 BUILD_DEPENDS+= llvm-config${LLVM_DEFAULT}:devel/llvm${LLVM_DEFAULT}
184 RUN_DEPENDS+= llvm-config${LLVM_DEFAULT}:devel/llvm${LLVM_DEFAULT}
185 CONFIGURE_ENV+= LLVM_CONFIG=${LOCALBASE}/bin/llvm-config${LLVM_DEFAULT}
186 CONFIGURE_ARGS+= --with-llvm
187 PLIST_SUB+= LLVM=""
188 INSTALL_DIRS+= src/backend/jit/llvm
189 . else
190 PLIST_SUB+= LLVM="@comment "
191 CONFIGURE_ARGS+= --without-llvm
192 . endif
193 .endif
194
195 .if ${DISTVERSION:C/([0-9]*).*/\1/} < 10
196 . if ( defined(SERVER_ONLY) && ${PORT_OPTIONS:MICU} ) || make(makesum)
197 USES+= autoreconf
198 CONFIGURE_ARGS+=--with-icu
199 PATCH_SITES+= http://people.freebsd.org/~girgen/postgresql-icu/:icu
200 PATCHFILES+= ${ICU_PATCHFILE}:icu
201 LIB_DEPENDS+= libicudata.so:devel/icu
202 . endif
203 .endif # server && version < 10
204
205 .if !defined(SLAVE_ONLY)
206
207 PATCH_DIST_STRIP=-p1
208
209 . if ${PORT_OPTIONS:MDTRACE}
210 CONFIGURE_ARGS+=--enable-dtrace
211 LDFLAGS+=-lelf
212 INSTALL_TARGET= install
213 . endif
214
215 .if ${PORT_OPTIONS:MGSSAPI}
216 CONFIGURE_ARGS+=--with-gssapi
217 .if empty(PORT_OPTIONS:MMIT_KRB5) && empty(PORT_OPTIONS:MHEIMDAL_KRB5)
218 # Kerberos libraries will pull the proper GSSAPI library
219 # via linker dependencies, but otherwise we must specify
220 # it explicitely: ld --as-needed is used for compilation,
221 # so configure's -lgssapi_krb5 won't go.
222 LDFLAGS+= -lgssapi
223 LDFLAGS_SL+= -lgssapi
224 PLIST_SUB+= GSSAPI=""
225 .endif
226 .else
227 CONFIGURE_ARGS+=--without-gssapi
228 PLIST_SUB+= GSSAPI="@comment "
229 .endif
230
231 . if ${PORT_OPTIONS:MMIT_KRB5}
232 . if defined(IGNORE_WITH_SRC_KRB5) && (exists(/usr/lib/libkrb5.so) || exists(/usr/bin/krb5-config))
233 IGNORE= requires that you remove heimdal\'s /usr/bin/krb5-config and /usr/lib/libkrb5.so*, and set NO_KERBEROS=true in /etc/src.conf to build successfully with MIT-KRB
234 . else
235 CONFIGURE_ARGS+=--with-krb5
236 # Allow defining a home built MIT Kerberos by setting KRB5_HOME
237 . if defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a) && exists(${KRB5_HOME}/bin/krb5-config)
238 LIB_DEPENDS+= libkrb5.so.3:security/krb5
239 . endif
240 . endif
241 . endif
242
243 . if ${PORT_OPTIONS:MHEIMDAL_KRB5}
244 CONFIGURE_ARGS+=--with-krb5
245 . endif
246
247 . if ${PORT_OPTIONS:MSSL}
248 PLIST_SUB+= SSL=""
249 . else
250 PLIST_SUB+= SSL="@comment "
251 . endif
252
253 .endif # !SLAVE_ONLY
254
255 # For testing files in FILESDIR
256 .include <bsd.port.pre.mk>
257
258 .if defined(SERVER_ONLY)
259 pre-build:
260 @${SH} ${PKGINSTALL} ${PORTNAME} PRE-INSTALL
261 .endif
262
263 .if !defined(NO_BUILD) && !target(do-build)
264
265 do-build:
266 @ cd ${WRKSRC}/src/backend && ${SETENV} ${MAKE_ENV} ${MAKE_CMD} symlinks
267 @ for dir in ${BUILD_DIRS}; do \
268 cd ${WRKSRC}/$${dir} && ${SETENV} ${MAKE_ENV} ${MAKE_CMD}; \
269 done
270
271 . if exists(${FILESDIR}/pkg-message${COMPONENT}.in)
272 SUB_FILES+= pkg-message${COMPONENT}
273 PKGMESSAGE= ${WRKSRC}/pkg-message${COMPONENT}
274 . endif
275 . if exists(${FILESDIR}/pkg-install${COMPONENT}.in)
276 SUB_FILES+= pkg-install${COMPONENT}
277 PLIST_SUB+= PG_USER=${PG_USER}
278 . endif
279
280 post-patch:
281 . if defined(SERVER_ONLY) && ${PORT_OPTIONS:MICU}
282 @${REINPLACE_CMD} \
283 -e '/m4_PACKAGE_VERSION/s/\[2\.6[0-9]\]/m4_defn([m4_PACKAGE_VERSION])/' \
284 -e '/icu/s/_57//' \
285 ${WRKSRC}/configure.in
286 . endif
287
288 do-install:
289 @for dir in ${INSTALL_DIRS}; do \
290 cd ${WRKSRC}/$${dir} && \
291 ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${MAKE_ARGS} ${INSTALL_TARGET}; \
292 done
293 . if defined(SERVER_ONLY)
294 @ ${MKDIR} ${STAGEDIR}${PREFIX}/share/postgresql ;\
295 ${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily ;\
296 ${INSTALL_SCRIPT} ${WRKDIR}/502.pgsql \
297 ${STAGEDIR}${PREFIX}/etc/periodic/daily
298 . endif # SERVER_ONLY
299 . if defined(CLIENT_ONLY)
300 @ cd ${WRKSRC}/src && ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${MAKE_ARGS} install-local
301 . endif
302 @ if [ -r ${PKGMESSAGE} ]; then \
303 ${MKDIR} ${STAGEDIR}${DOCSDIR} ;\
304 ${INSTALL_DATA} ${PKGMESSAGE} ${STAGEDIR}${DOCSDIR}/README${COMPONENT} ;\
305 fi
306 .endif # !NO_BUILD
307
308 .if defined(SERVER_ONLY)
309 check:
310 @if [ `id -u` != 0 ] ; then \
311 ${ECHO} "Running postgresql regressions tests" ;\
312 cd ${WRKSRC}; ${MAKE_CMD} check ;\
313 else \
314 ${ECHO} "You cannot run regression tests when postgresql is built as user root." ; \
315 ${ECHO} "Clean and rebuild the port as a regular user to run the tests." ;\
316 fi
317 .endif
318
319 .include <bsd.port.post.mk>

Properties

Name Value
svn:eol-style native
svn:keywords FreeBSD=%H
svn:mime-type text/plain
  ViewVC Help
Powered by ViewVC 1.1.27