Fixes:
* CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema
CREATE privilege
* CVE-2026-6473: PostgreSQL server undersizes allocations, via integer
wraparound
* CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server
memory
* CVE-2026-6475: PostgreSQL pg_basebackup and pg_rewind can overwrite
unrelated files of origin superuser choice
* CVE-2026-6476: PostgreSQL pg_createsubscriber allows SQL injection via
subscription name
* CVE-2026-6477: PostgreSQL libpq lo_* functions let server superuser
overwrite client stack
* CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert
timing channel
* CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via
uncontrolled recursion
* CVE-2026-6575: PostgreSQL pg_restore_attribute_stats accepts values
that cause query planning to read past end of stats array
* CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL
injection
* CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via
table name
From Mark Patruck
PostgreSQL 17 defaulted to data checksums being off. PostgreSQL 18 defaults
to data checksums being on. Due to this, pg_upgrade doesn't work directly.
pg_checksums exists to add data checksums to an existing installation
without data checksums, so have the pkg README use that to update the
PostgreSQL 17 data before upgrading to PostgreSQL 18.
Issue discovered by and fix from florian@
OK florian@
This adds textproc/icu4c as a dependency, since PostgreSQL 16 requires
that by default. This allows additional collations to work.
Bulk testing by tb@
Input from tb@ and sthen@
OK tb@, sthen@
If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.
discussed with sthen@, tb@ and robert@
praying that my grep/sed skills did not break anything and still
believing in portbump :-)
databases can take a long time to gracefully shutdown
especially if you have a lot of cached data or you are
swapping and we do not want to kill these processes to
avoid potential dataloss
- add hidden dep on libexecinfo, which i hadn't disabled as well as i had hoped
- add missing -D in initdb command line in pkg-readme for some use cases
- put back the @ask-update warning as people using some pgsql extensions can't
use pg_upgrade
jeremy