Update to latest versions of PostgreSQL

2018-02-08 Security Update Release
==================================

The PostgreSQL Global Development Group has released an update to all supported
versions of our database system, including 10.2, 9.6.7, 9.5.11, 9.4.16, 9.3.21.
This release fixes two security issues. This release also fixes issues with
VACUUM, GIN indexes, and hash indexes that could lead to data corruption, as
well as fixes for using parallel queries and logical replication.

All users using the affected versions of PostgreSQL should update as soon as
possible. Please see the notes on "Updating" below for any post-update steps
that may be required.

Please note that PostgreSQL changed its versioning scheme with the release of
version 10.0, so updating to version 10.2 from 10.0 or 10.1 is considered a
minor update.

Security Issues
---------------

Two security vulnerabilities have been fixed by this release:

* CVE-2018-1052: Fix the processing of partition keys containing multiple
expressions
* CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are
non-world-readable

Local fixes to the FreeBSD ports
--------------------------------

Inform users about data checksums [1].
Make sure /usr/bin/su is used regardless of PATH settings [2].
Enable DTRACE by default [3].

PR:		214671 [1], 223157 [2], 215028 [3]
Security:	c602c791-0cf4-11e8-a2ec-6cc21735f730

databases/postgresql10-server/Makefile

@@ -1,11 +1,52 @@
 # Created by: Marc G. Fournier <scrappy@FreeBSD.org>
 # $FreeBSD$
 
-DISTVERSION?=	10.1
+PORTNAME?=	postgresql
+DISTVERSION?=	10.2
+PORTREVISION?=	0
+CATEGORIES?=	databases
+MASTER_SITES=	PGSQL/source/v${DISTVERSION}
 PKGNAMESUFFIX?= ${PORTVERSION:R}${COMPONENT}
-PORTREVISION?=	1
 
 MAINTAINER?=	pgsql@FreeBSD.org
+COMMENT?=	PostgreSQL is the most advanced open-source database available anywhere
+
+LICENSE=	PostgreSQL
+
+.if ${DISTVERSION:C/([0-9]*).*/\1/} == 10
+CONFLICTS+=	${PORTNAME}*-9.*
+.else
+CONFLICTS+=	${PORTNAME}*-9.[^${PORTVERSION:R:E}].* ${PORTNAME}10*
+.endif
+
+WRKSRC=		${WRKDIR}/postgresql-${DISTVERSION}
+DIST_SUBDIR=	postgresql
+
+OPTIONS_SUB=	yes
+
+PKGINSTALL?=	${PKGDIR}/pkg-install${COMPONENT}
+USES+=		tar:bzip2 cpe
+.if !defined(NO_BUILD)
+USES+=	gmake
+GNU_CONFIGURE=	yes
+LLD_UNSAFE=	yes
+.endif
+
+PG_USER?=	postgres
+PG_GROUP?=	postgres
+PG_UID?=	770
+
+LDFLAGS+=	-L${LOCALBASE}/lib
+INCLUDES+=	-I${LOCALBASE}/include
+CONFIGURE_ARGS+=--with-libraries=${PREFIX}/lib \
+		--with-includes=${PREFIX}/include \
+		--enable-thread-safety
+CONFIGURE_ENV+=	INCLUDES="${INCLUDES}" \
+		PTHREAD_LIBS="-lpthread" \
+		LDFLAGS_SL="${LDFLAGS_SL}"
+LDFLAGS+=	-lpthread
+
+PLIST=		${PKGDIR}/pkg-plist${COMPONENT}
 
 INSTALL_DIRS?=	src/common src/timezone src/backend \
 		src/backend/utils/mb/conversion_procs \
@@ -18,8 +59,229 @@ INSTALL_DIRS?=	src/common src/timezone src/backend \
 		src/bin/pg_test_fsync src/bin/pg_test_timing \
 		src/bin/pg_waldump src/bin/pg_upgrade
 
-PG_USER?=	postgres
-PG_GROUP?=	postgres
-PG_UID?=	770
+BUILD_DIRS?=	src/port ${INSTALL_DIRS}
+INSTALL_TARGET?=install-strip
 
-.include "${.CURDIR}/../postgresql92-server/Makefile"
+.if !defined(CLIENT_ONLY) && !defined(SLAVE_ONLY)
+SERVER_ONLY=	yes
+COMPONENT=	-server
+USE_RC_SUBR=	postgresql
+USES+=		pgsql:${DISTVERSION:C/([0-9]\.?[0-9]).*/\1/g}
+USERS=		${PG_USER}
+GROUPS=	${PG_GROUP}
+SUB_FILES+=	502.pgsql
+.endif
+
+.if defined(CLIENT_ONLY)
+OPTIONS_DEFINE+=LIBEDIT
+LIBEDIT_DESC=	Use non-GPL libedit instead of readline
+USES+=		perl5
+.else
+MAKE_ENV=	PATH=${PREFIX}/bin:${PATH}
+CONFIGURE_ENV+=	PATH=${PREFIX}/bin:${PATH}
+.endif
+
+.if defined(SERVER_ONLY)
+OPTIONS_DEFINE=	DTRACE LDAP INTDATE TZDATA XML
+LDAP_DESC=	Build with LDAP authentication support
+DTRACE_DESC=	Build with DTrace probes
+TZDATA_DESC=	Use internal timezone database
+XML_DESC=	Build with XML data type
+
+.if ${DISTVERSION:C/([0-9]*).*/\1/} != 10
+# See http://people.freebsd.org/~girgen/postgresql-icu/README.html for more info
+OPTIONS_DEFINE+=	ICU
+ICU_DESC=	Use ICU for unicode collation
+.else
+CONFIGURE_ARGS+=--with-icu
+LIB_DEPENDS+=	libicudata.so:devel/icu
+USES+=		pkgconfig
+.endif
+
+# See http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/76999 for more info
+# (requires dump/restore if modified.)
+OPTIONS_DEFINE+=	INTDATE
+INTDATE_DESC=	Builds with 64-bit date/time type
+OPTIONS_DEFAULT+=	XML TZDATA INTDATE DTRACE
+.endif
+
+.if !defined(SLAVE_ONLY)
+OPTIONS_DEFINE+=	NLS PAM GSSAPI OPTIMIZED_CFLAGS DEBUG
+. if ${DISTVERSION:R} == 9.2 || ${DISTVERSION:R} == 9.3
+  OPTIONS_RADIO= KRB5
+  OPTIONS_RADIO_KRB5= MIT_KRB5 HEIMDAL_KRB5
+. endif
+
+KRB5_DESC=	Build with kerberos provider support
+NLS_DESC=	Use internationalized messages
+PAM_DESC=	Build with PAM Support
+MIT_KRB5_DESC=	Build with MIT kerberos support
+HEIMDAL_KRB5_DESC=	Builds with Heimdal kerberos
+GSSAPI_DESC=	Build with GSSAPI support
+OPTIMIZED_CFLAGS_DESC=	Builds with compiler optimizations (-O3)
+
+OPTIONS_DEFINE+=	SSL
+SSL_DESC=	Build with OpenSSL support
+
+OPTIONS_DEFAULT+=	SSL
+.endif # !SLAVE_ONLY
+
+.if defined(CLIENT_ONLY)
+LIBEDIT_CONFIGURE_ON+=--with-libedit-preferred
+LIBEDIT_USES=		libedit
+LIBEDIT_USES_OFF=		readline
+.endif # CLIENT_ONLY
+
+SSL_USES=	ssl
+SSL_CONFIGURE_WITH=openssl
+
+PAM_CONFIGURE_WITH=	pam
+
+XML_CONFIGURE_WITH=	libxml
+XML_LIB_DEPENDS=	libxml2.so:textproc/libxml2
+
+TZDATA_CONFIGURE_OFF=--with-system-tzdata=/usr/share/zoneinfo
+
+INTDATE_CONFIGURE_OFF=--disable-integer-datetimes
+
+NLS_CONFIGURE_ENABLE=	nls
+NLS_USES=	gettext
+
+LDAP_CONFIGURE_WITH=	ldap
+LDAP_USE=		OPENLDAP=yes
+
+OPTIMIZED_CFLAGS_CFLAGS=	-O3 -funroll-loops
+
+DEBUG_CONFIGURE_ENABLE=	debug
+
+PLIST_SUB+=	PG_USER=${PG_USER} \
+		PG_GROUP=${PG_GROUP}
+SUB_LIST+=	PG_GROUP=${PG_GROUP} \
+		PG_USER=${PG_USER} \
+		PG_UID=${PG_UID}
+
+.include <bsd.port.options.mk>
+
+.if !defined(SLAVE_ONLY)
+.if ${DISTVERSION:C/([0-9]*).*/\1/} != 10
+.  if ( defined(SERVER_ONLY) && ${PORT_OPTIONS:MICU} ) || make(makesum)
+USES+=		autoreconf
+CONFIGURE_ARGS+=--with-icu
+PATCH_SITES+=	http://people.freebsd.org/~girgen/postgresql-icu/:icu
+PATCHFILES+=	${ICU_PATCHFILE}:icu
+LIB_DEPENDS+=	libicudata.so:devel/icu
+.  endif
+.endif # not version 10
+.endif # !SLAVE_ONLY
+
+.if !defined(SLAVE_ONLY)
+
+PATCH_DIST_STRIP=-p1
+
+.  if ${PORT_OPTIONS:MDTRACE}
+CONFIGURE_ARGS+=--enable-dtrace
+LDFLAGS+=-lelf
+INSTALL_TARGET=install
+.  endif
+
+.if ${PORT_OPTIONS:MGSSAPI}
+CONFIGURE_ARGS+=--with-gssapi
+.if empty(PORT_OPTIONS:MMIT_KRB5) && empty(PORT_OPTIONS:MHEIMDAL_KRB5)
+# Kerberos libraries will pull the proper GSSAPI library
+# via linker dependencies, but otherwise we must specify
+# it explicitely: ld --as-needed is used for compilation,
+# so configure's -lgssapi_krb5 won't go.
+LDFLAGS+=	-lgssapi
+LDFLAGS_SL+=	-lgssapi
+.endif
+.else
+CONFIGURE_ARGS+=--without-gssapi
+.endif
+
+.  if ${PORT_OPTIONS:MMIT_KRB5}
+.   if defined(IGNORE_WITH_SRC_KRB5) && (exists(/usr/lib/libkrb5.so) || exists(/usr/bin/krb5-config))
+IGNORE=	requires that you remove heimdal\'s /usr/bin/krb5-config and /usr/lib/libkrb5.so*, and set NO_KERBEROS=true in /etc/src.conf to build successfully with MIT-KRB
+.   else
+CONFIGURE_ARGS+=--with-krb5
+# Allow defining a home built MIT Kerberos by setting KRB5_HOME
+.    if defined(KRB5_HOME) && exists(${KRB5_HOME}/lib/libgssapi_krb5.a) && exists(${KRB5_HOME}/bin/krb5-config)
+LIB_DEPENDS+=	libkrb5.so.3:security/krb5
+.    endif
+.   endif
+.  endif
+
+.  if ${PORT_OPTIONS:MHEIMDAL_KRB5}
+CONFIGURE_ARGS+=--with-krb5
+.  endif
+
+.endif # !SLAVE_ONLY
+
+# For testing files in FILESDIR
+.include <bsd.port.pre.mk>
+
+.if ${PORT_OPTIONS:MSSL} && ${SSL_DEFAULT:Mopenssl-devel}
+BROKEN=		Does not build with openssl-devel
+.endif
+
+.if defined(SERVER_ONLY)
+pre-build:
+	@${SH} ${PKGINSTALL} ${PORTNAME} PRE-INSTALL
+.endif
+
+.if !defined(NO_BUILD) && !target(do-build)
+
+do-build:
+	@ cd ${WRKSRC}/src/backend && ${SETENV} ${MAKE_ENV} ${MAKE_CMD} symlinks
+	@ for dir in ${BUILD_DIRS}; do \
+		cd ${WRKSRC}/$${dir} && ${SETENV} ${MAKE_ENV} ${MAKE_CMD}; \
+	done
+
+.  if exists(${FILESDIR}/pkg-message${COMPONENT}.in)
+SUB_FILES+=	pkg-message${COMPONENT}
+PKGMESSAGE=	${WRKSRC}/pkg-message${COMPONENT}
+.  endif
+.  if exists(${FILESDIR}/pkg-install${COMPONENT}.in)
+SUB_FILES+=	pkg-install${COMPONENT}
+PLIST_SUB+=	PG_USER=${PG_USER}
+.  endif
+
+post-patch:
+.  if defined(SERVER_ONLY) && ${PORT_OPTIONS:MICU}
+	@${REINPLACE_CMD} \
+		-e '/m4_PACKAGE_VERSION/s/\[2\.6[0-9]\]/m4_defn([m4_PACKAGE_VERSION])/' \
+		-e '/icu/s/_57//' \
+		${WRKSRC}/configure.in
+.  endif
+
+do-install:
+	@for dir in ${INSTALL_DIRS}; do \
+	    cd ${WRKSRC}/$${dir} && \
+		${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${MAKE_ARGS} ${INSTALL_TARGET}; \
+	done
+.  if defined(SERVER_ONLY)
+	@ ${MKDIR} ${STAGEDIR}${PREFIX}/share/postgresql ;\
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily ;\
+	${INSTALL_SCRIPT} ${WRKDIR}/502.pgsql \
+			${STAGEDIR}${PREFIX}/etc/periodic/daily
+.  endif # SERVER_ONLY
+.  if defined(CLIENT_ONLY)
+	@ cd ${WRKSRC}/src && ${SETENV} ${MAKE_ENV} ${MAKE_CMD} ${MAKE_ARGS} install-local
+.  endif
+	@ if [ -r ${PKGMESSAGE} ]; then \
+		${MKDIR} ${STAGEDIR}${DOCSDIR} ;\
+		${INSTALL_DATA} ${PKGMESSAGE} ${STAGEDIR}${DOCSDIR}/README${COMPONENT} ;\
+	fi
+.endif # !NO_BUILD
+
+.if defined(SERVER_ONLY)
+check:
+	@if [ `id -u` != 0 ] ; then \
+	  ${ECHO} "Running postgresql regressions tests" ;\
+	  cd ${WRKSRC}; ${MAKE_CMD} check ;\
+	 else \
+	  ${ECHO} "You cannot run regression tests when postgresql is built as user root." ; \
+	  ${ECHO} "Clean and rebuild the port as a regular user to run the tests." ;\
+	 fi
+.endif
+
+.include <bsd.port.post.mk>

databases/postgresql10-server/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1510172180
-SHA256 (postgresql/postgresql-10.1.tar.bz2) = 3ccb4e25fe7a7ea6308dea103cac202963e6b746697366d72ec2900449a5e713
-SIZE (postgresql/postgresql-10.1.tar.bz2) = 19669989
+TIMESTAMP = 1518110073
+SHA256 (postgresql/postgresql-10.2.tar.bz2) = fe32009b62ddb97f7f014307ce9d0edb6972f5a698e63cb531088e147d145bad
+SIZE (postgresql/postgresql-10.2.tar.bz2) = 19901836

databases/postgresql10-server/files/pkg-message-server.in

@@ -50,6 +50,13 @@ For postmaster settings, see ~pgsql/data/postgresql.conf
 NB. FreeBSD's PostgreSQL port logs to syslog by default
     See ~pgsql/data/postgresql.conf for more info
 
+NB. If you're not using a checksumming filesystem like ZFS, you might
+    wish to enable data checksumming. It can only be enabled during
+    the initdb phase, by adding the "--data-checksums" flag to
+    the postgres_initdb_flags rcvar.  Check the initdb(1) manpage
+    for more info and make sure you understand the performance
+    implications.
+
 ======================================================================
 
 To run PostgreSQL at startup, add

databases/postgresql10-server/files/postgresql.in

@@ -50,6 +50,8 @@ status_cmd="postgresql_command status"
 
 initdb_cmd="postgresql_initdb"
 
+su_cmd="/usr/bin/su"
+
 if [ -n "$2" ]; then
 	profile="$2"
 	if [ "x${postgresql_profiles}" != "x" ]; then
@@ -103,12 +105,12 @@ command_args="-D ${postgresql_data} ${postgresql_flags}"
 
 postgresql_command()
 {
-    su -l ${postgresql_user} -c "exec ${command} ${command_args} ${rc_arg}"
+    ${su_cmd} -l ${postgresql_user} -c "exec ${command} ${command_args} ${rc_arg}"
 }
 
 postgresql_initdb()
 {
-    su -l -c ${postgresql_class} ${postgresql_user} -c "exec %%PREFIX%%/bin/initdb ${postgresql_initdb_flags} -D ${postgresql_data} -U ${postgresql_user}"
+    ${su_cmd} -l -c ${postgresql_class} ${postgresql_user} -c "exec %%PREFIX%%/bin/initdb ${postgresql_initdb_flags} -D ${postgresql_data} -U ${postgresql_user}"
 }
 
 run_rc_command "$1"

databases/postgresql10-server/pkg-plist-client

@@ -639,6 +639,7 @@ include/postgresql/server/utils/freepage.h
 include/postgresql/server/utils/geo_decls.h
 include/postgresql/server/utils/guc.h
 include/postgresql/server/utils/guc_tables.h
+include/postgresql/server/utils/hashutils.h
 include/postgresql/server/utils/help_config.h
 include/postgresql/server/utils/hsearch.h
 include/postgresql/server/utils/index_selfuncs.h
@@ -1087,7 +1088,9 @@ man/man7/WITH.7.gz
 %%NLS%%share/locale/ta/LC_MESSAGES/pg_config-10.mo
 %%NLS%%share/locale/tr/LC_MESSAGES/ecpg-10.mo
 %%NLS%%share/locale/tr/LC_MESSAGES/ecpglib6-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/libpq5-10.mo
 %%NLS%%share/locale/tr/LC_MESSAGES/pg_config-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/pg_dump-10.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/ecpg-10.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/ecpglib6-10.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/libpq5-10.mo

databases/postgresql10-server/pkg-plist-server

@@ -174,6 +174,13 @@ lib/libpgcommon.a
 %%NLS%%share/locale/sv/LC_MESSAGES/pg_upgrade-10.mo
 %%NLS%%share/locale/sv/LC_MESSAGES/pg_waldump-10.mo
 %%NLS%%share/locale/sv/LC_MESSAGES/plpgsql-10.mo
+%%NLS%%share/locale/sv/LC_MESSAGES/postgres-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/pg_archivecleanup-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/pg_basebackup-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/pg_test_fsync-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/pg_upgrade-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/pg_waldump-10.mo
+%%NLS%%share/locale/tr/LC_MESSAGES/postgres-10.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/initdb-10.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/pg_controldata-10.mo
 %%NLS%%share/locale/zh_CN/LC_MESSAGES/pg_ctl-10.mo
@@ -769,7 +776,6 @@ lib/libpgcommon.a
 %%TZDATA%%%%DATADIR%%/timezone/US/Michigan
 %%TZDATA%%%%DATADIR%%/timezone/US/Mountain
 %%TZDATA%%%%DATADIR%%/timezone/US/Pacific
-%%TZDATA%%%%DATADIR%%/timezone/US/Pacific-New
 %%TZDATA%%%%DATADIR%%/timezone/US/Samoa
 %%TZDATA%%%%DATADIR%%/timezone/UTC
 %%TZDATA%%%%DATADIR%%/timezone/Universal