From a92c0591c8a2fe8cee248bd1ea23ffde21638d7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Reh=C3=A1k?= Date: Tue, 18 Jul 2023 20:09:32 +0100 Subject: [PATCH] Backport fixes for CVE-2023-2454 and CVE-2023-2455 Also updates postgresql-setup to 8.7, which fixes a problem during modular builds where modules dependent on this package fail to build due to a no longer valid rpm statement. See: https://github.com/devexp-db/postgresql-setup/pull/35. Resolves: #2207931 --- .gitignore | 21 +- postgresql-10.23-CVE-2023-2454.patch | 338 +++++++++++++++++++++++++++ postgresql-10.23-CVE-2023-2455.patch | 114 +++++++++ postgresql.spec | 13 +- sources | 2 +- 5 files changed, 467 insertions(+), 21 deletions(-) mode change 100755 => 100644 .gitignore create mode 100644 postgresql-10.23-CVE-2023-2454.patch create mode 100644 postgresql-10.23-CVE-2023-2455.patch mode change 100755 => 100644 sources diff --git a/.gitignore b/.gitignore old mode 100755 new mode 100644 index 2e18522..ee6d028 --- a/.gitignore +++ b/.gitignore @@ -1,21 +1,6 @@ -/postgresql-10.14.tar.bz2 -/postgresql-10.14.tar.bz2.sha256 -/postgresql-9.2.24.tar.bz2 -/postgresql-9.2.24.tar.bz2.sha256 -/postgresql-setup-8.2.tar.gz -/postgresql-10.14-US.pdf -/postgresql-10.15.tar.bz2 -/postgresql-10.15.tar.bz2.sha256 -/postgresql-10.15-US.pdf -/postgresql-10.17.tar.bz2 -/postgresql-10.17.tar.bz2.sha256 -/postgresql-10.17-US.pdf -/postgresql-10.19.tar.bz2 -/postgresql-10.19.tar.bz2.sha256 -/postgresql-10.19-US.pdf -/postgresql-10.21.tar.bz2 -/postgresql-10.21.tar.bz2.sha256 -/postgresql-10.21-US.pdf /postgresql-10.23.tar.bz2 /postgresql-10.23.tar.bz2.sha256 +/postgresql-9.2.24.tar.bz2 +/postgresql-9.2.24.tar.bz2.sha256 +/postgresql-setup-8.7.tar.gz /postgresql-10.23-US.pdf diff --git a/postgresql-10.23-CVE-2023-2454.patch b/postgresql-10.23-CVE-2023-2454.patch new file mode 100644 index 0000000..cdc46b4 --- /dev/null +++ b/postgresql-10.23-CVE-2023-2454.patch @@ -0,0 +1,338 @@ +From 681d9e4621aac0a9c71364b6f54f00f6d8c4337f Mon Sep 17 00:00:00 2001 +From 8d525d7b9545884a3e0d79adcd61543f9ae2ae28 Mon Sep 17 00:00:00 2001 +From: Noah Misch +Date: Mon, 8 May 2023 06:14:07 -0700 +Subject: Replace last PushOverrideSearchPath() call with + set_config_option(). + +The two methods don't cooperate, so set_config_option("search_path", +...) has been ineffective under non-empty overrideStack. This defect +enabled an attacker having database-level CREATE privilege to execute +arbitrary code as the bootstrap superuser. While that particular attack +requires v13+ for the trusted extension attribute, other attacks are +feasible in all supported versions. + +Standardize on the combination of NewGUCNestLevel() and +set_config_option("search_path", ...). It is newer than +PushOverrideSearchPath(), more-prevalent, and has no known +disadvantages. The "override" mechanism remains for now, for +compatibility with out-of-tree code. Users should update such code, +which likely suffers from the same sort of vulnerability closed here. +Back-patch to v11 (all supported versions). + +Alexander Lakhin. Reported by Alexander Lakhin. + +Security: CVE-2023-2454 +--- + contrib/seg/Makefile | 2 +- + contrib/seg/expected/security.out | 32 ++++++++++++++++++ + contrib/seg/sql/security.sql | 32 ++++++++++++++++++ + src/backend/catalog/namespace.c | 4 +++ + src/backend/commands/schemacmds.c | 37 ++++++++++++++------ + src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++ + src/test/regress/sql/namespace.sql | 24 +++++++++++++ + 7 files changed, 165 insertions(+), 11 deletions(-) + create mode 100644 contrib/seg/expected/security.out + create mode 100644 contrib/seg/sql/security.sql + +diff --git a/contrib/seg/Makefile b/contrib/seg/Makefile +index c6c134b8f1..a1e49bf051 100644 +--- a/contrib/seg/Makefile ++++ b/contrib/seg/Makefile +@@ -14,7 +14,7 @@ PGFILEDESC = "seg - line segment data type" + DATA = seg--1.1.sql seg--1.0--1.1.sql seg--unpackaged--1.0.sql + PGFILEDESC = "seg - line segment data type" + +-REGRESS = seg ++REGRESS = security seg + + EXTRA_CLEAN = y.tab.c y.tab.h + +diff --git a/contrib/seg/expected/security.out b/contrib/seg/expected/security.out +new file mode 100644 +index 0000000000..b47598d039 +--- /dev/null ++++ b/contrib/seg/expected/security.out +@@ -0,0 +1,32 @@ ++-- ++-- Test extension script protection against search path overriding ++-- ++CREATE ROLE regress_seg_role; ++SELECT current_database() AS datname \gset ++GRANT CREATE ON DATABASE :"datname" TO regress_seg_role; ++SET ROLE regress_seg_role; ++CREATE SCHEMA regress_seg_schema; ++CREATE FUNCTION regress_seg_schema.exfun(i int) RETURNS int AS $$ ++BEGIN ++ CREATE EXTENSION seg VERSION '1.2'; ++ ++ CREATE FUNCTION regress_seg_schema.compare(oid, regclass) RETURNS boolean AS ++ 'BEGIN RAISE EXCEPTION ''overloaded compare() called by %'', current_user; END;' LANGUAGE plpgsql; ++ ++ CREATE OPERATOR = (LEFTARG = oid, RIGHTARG = regclass, PROCEDURE = regress_seg_schema.compare); ++ ++ ALTER EXTENSION seg UPDATE TO '1.3'; ++ ++ RETURN i; ++END; $$ LANGUAGE plpgsql; ++CREATE SCHEMA test_schema ++CREATE TABLE t(i int) PARTITION BY RANGE (i) ++CREATE TABLE p1 PARTITION OF t FOR VALUES FROM (1) TO (regress_seg_schema.exfun(2)); ++DROP SCHEMA test_schema CASCADE; ++NOTICE: drop cascades to 3 other objects ++DETAIL: drop cascades to table test_schema.t ++drop cascades to extension seg ++drop cascades to operator test_schema.=(oid,regclass) ++RESET ROLE; ++DROP OWNED BY regress_seg_role; ++DROP ROLE regress_seg_role; +diff --git a/contrib/seg/sql/security.sql b/contrib/seg/sql/security.sql +new file mode 100644 +index 0000000000..7dfbbaa304 +--- /dev/null ++++ b/contrib/seg/sql/security.sql +@@ -0,0 +1,32 @@ ++-- ++-- Test extension script protection against search path overriding ++-- ++ ++CREATE ROLE regress_seg_role; ++SELECT current_database() AS datname \gset ++GRANT CREATE ON DATABASE :"datname" TO regress_seg_role; ++SET ROLE regress_seg_role; ++CREATE SCHEMA regress_seg_schema; ++ ++CREATE FUNCTION regress_seg_schema.exfun(i int) RETURNS int AS $$ ++BEGIN ++ CREATE EXTENSION seg VERSION '1.2'; ++ ++ CREATE FUNCTION regress_seg_schema.compare(oid, regclass) RETURNS boolean AS ++ 'BEGIN RAISE EXCEPTION ''overloaded compare() called by %'', current_user; END;' LANGUAGE plpgsql; ++ ++ CREATE OPERATOR = (LEFTARG = oid, RIGHTARG = regclass, PROCEDURE = regress_seg_schema.compare); ++ ++ ALTER EXTENSION seg UPDATE TO '1.3'; ++ ++ RETURN i; ++END; $$ LANGUAGE plpgsql; ++ ++CREATE SCHEMA test_schema ++CREATE TABLE t(i int) PARTITION BY RANGE (i) ++CREATE TABLE p1 PARTITION OF t FOR VALUES FROM (1) TO (regress_seg_schema.exfun(2)); ++ ++DROP SCHEMA test_schema CASCADE; ++RESET ROLE; ++DROP OWNED BY regress_seg_role; ++DROP ROLE regress_seg_role; +diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c +index 14e57adee2..73ddb67882 100644 +--- a/src/backend/catalog/namespace.c ++++ b/src/backend/catalog/namespace.c +@@ -3515,6 +3515,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path) + /* + * PushOverrideSearchPath - temporarily override the search path + * ++ * Do not use this function; almost any usage introduces a security ++ * vulnerability. It exists for the benefit of legacy code running in ++ * non-security-sensitive environments. ++ * + * We allow nested overrides, hence the push/pop terminology. The GUC + * search_path variable is ignored while an override is active. + * +diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c +index 48590247f8..b6a71154a8 100644 +--- a/src/backend/commands/schemacmds.c ++++ b/src/backend/commands/schemacmds.c +@@ -30,6 +30,7 @@ + #include "commands/schemacmds.h" + #include "miscadmin.h" + #include "parser/parse_utilcmd.h" ++#include "parser/scansup.h" + #include "tcop/utility.h" + #include "utils/acl.h" + #include "utils/builtins.h" +@@ -53,14 +54,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, + { + const char *schemaName = stmt->schemaname; + Oid namespaceId; +- OverrideSearchPath *overridePath; + List *parsetree_list; + ListCell *parsetree_item; + Oid owner_uid; + Oid saved_uid; + int save_sec_context; ++ int save_nestlevel; ++ char *nsp = namespace_search_path; + AclResult aclresult; + ObjectAddress address; ++ StringInfoData pathbuf; + + GetUserIdAndSecContext(&saved_uid, &save_sec_context); + +@@ -153,14 +156,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, + CommandCounterIncrement(); + + /* +- * Temporarily make the new namespace be the front of the search path, as +- * well as the default creation target namespace. This will be undone at +- * the end of this routine, or upon error. ++ * Prepend the new schema to the current search path. ++ * ++ * We use the equivalent of a function SET option to allow the setting to ++ * persist for exactly the duration of the schema creation. guc.c also ++ * takes care of undoing the setting on error. + */ +- overridePath = GetOverrideSearchPath(CurrentMemoryContext); +- overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas); +- /* XXX should we clear overridePath->useTemp? */ +- PushOverrideSearchPath(overridePath); ++ save_nestlevel = NewGUCNestLevel(); ++ ++ initStringInfo(&pathbuf); ++ appendStringInfoString(&pathbuf, quote_identifier(schemaName)); ++ ++ while (scanner_isspace(*nsp)) ++ nsp++; ++ ++ if (*nsp != '\0') ++ appendStringInfo(&pathbuf, ", %s", nsp); ++ ++ (void) set_config_option("search_path", pathbuf.data, ++ PGC_USERSET, PGC_S_SESSION, ++ GUC_ACTION_SAVE, true, 0, false); + + /* + * Report the new schema to possibly interested event triggers. Note we +@@ -215,8 +230,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, + CommandCounterIncrement(); + } + +- /* Reset search path to normal state */ +- PopOverrideSearchPath(); ++ /* ++ * Restore the GUC variable search_path we set above. ++ */ ++ AtEOXact_GUC(true, save_nestlevel); + + /* Reset current user and security context */ + SetUserIdAndSecContext(saved_uid, save_sec_context); +diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out +index 2564d1b080..a62fd8ded0 100644 +--- a/src/test/regress/expected/namespace.out ++++ b/src/test/regress/expected/namespace.out +@@ -1,6 +1,14 @@ + -- + -- Regression tests for schemas (namespaces) + -- ++-- set the whitespace-only search_path to test that the ++-- GUC list syntax is preserved during a schema creation ++SELECT pg_catalog.set_config('search_path', ' ', false); ++ set_config ++------------ ++ ++(1 row) ++ + CREATE SCHEMA test_schema_1 + CREATE UNIQUE INDEX abc_a_idx ON abc (a) + CREATE VIEW abc_view AS +@@ -9,6 +17,43 @@ CREATE SCHEMA test_schema_1 + a serial, + b int UNIQUE + ); ++-- verify that the correct search_path restored on abort ++SET search_path to public; ++BEGIN; ++SET search_path to public, test_schema_1; ++CREATE SCHEMA test_schema_2 ++ CREATE VIEW abc_view AS SELECT c FROM abc; ++ERROR: column "c" does not exist ++LINE 2: CREATE VIEW abc_view AS SELECT c FROM abc; ++ ^ ++COMMIT; ++SHOW search_path; ++ search_path ++------------- ++ public ++(1 row) ++ ++-- verify that the correct search_path preserved ++-- after creating the schema and on commit ++BEGIN; ++SET search_path to public, test_schema_1; ++CREATE SCHEMA test_schema_2 ++ CREATE VIEW abc_view AS SELECT a FROM abc; ++SHOW search_path; ++ search_path ++----------------------- ++ public, test_schema_1 ++(1 row) ++ ++COMMIT; ++SHOW search_path; ++ search_path ++----------------------- ++ public, test_schema_1 ++(1 row) ++ ++DROP SCHEMA test_schema_2 CASCADE; ++NOTICE: drop cascades to view test_schema_2.abc_view + -- verify that the objects were created + SELECT COUNT(*) FROM pg_class WHERE relnamespace = + (SELECT oid FROM pg_namespace WHERE nspname = 'test_schema_1'); +diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql +index 6b12c96193..3474f5ecf4 100644 +--- a/src/test/regress/sql/namespace.sql ++++ b/src/test/regress/sql/namespace.sql +@@ -2,6 +2,10 @@ + -- Regression tests for schemas (namespaces) + -- + ++-- set the whitespace-only search_path to test that the ++-- GUC list syntax is preserved during a schema creation ++SELECT pg_catalog.set_config('search_path', ' ', false); ++ + CREATE SCHEMA test_schema_1 + CREATE UNIQUE INDEX abc_a_idx ON abc (a) + +@@ -13,6 +17,26 @@ CREATE SCHEMA test_schema_1 + b int UNIQUE + ); + ++-- verify that the correct search_path restored on abort ++SET search_path to public; ++BEGIN; ++SET search_path to public, test_schema_1; ++CREATE SCHEMA test_schema_2 ++ CREATE VIEW abc_view AS SELECT c FROM abc; ++COMMIT; ++SHOW search_path; ++ ++-- verify that the correct search_path preserved ++-- after creating the schema and on commit ++BEGIN; ++SET search_path to public, test_schema_1; ++CREATE SCHEMA test_schema_2 ++ CREATE VIEW abc_view AS SELECT a FROM abc; ++SHOW search_path; ++COMMIT; ++SHOW search_path; ++DROP SCHEMA test_schema_2 CASCADE; ++ + -- verify that the objects were created + SELECT COUNT(*) FROM pg_class WHERE relnamespace = + (SELECT oid FROM pg_namespace WHERE nspname = 'test_schema_1'); +diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out +index e8da587564..15d2b9c5e7 100644 +--- a/contrib/sepgsql/expected/ddl.out ++++ b/contrib/sepgsql/expected/ddl.out +@@ -24,7 +24,6 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_reg + CREATE USER regress_sepgsql_test_user; + CREATE SCHEMA regtest_schema; + LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="public" + GRANT ALL ON SCHEMA regtest_schema TO regress_sepgsql_test_user; + SET search_path = regtest_schema, public; + CREATE TABLE regtest_table (x serial primary key, y text); +-- +2.41.0 + diff --git a/postgresql-10.23-CVE-2023-2455.patch b/postgresql-10.23-CVE-2023-2455.patch new file mode 100644 index 0000000..4e63ded --- /dev/null +++ b/postgresql-10.23-CVE-2023-2455.patch @@ -0,0 +1,114 @@ +From ca73753b090c33bc69ce299b4d7fff891a77b8ad Mon Sep 17 00:00:00 2001 +From: Tom Lane +Date: Mon, 8 May 2023 10:12:44 -0400 +Subject: Handle RLS dependencies in inlined set-returning + functions properly. + +If an SRF in the FROM clause references a table having row-level +security policies, and we inline that SRF into the calling query, +we neglected to mark the plan as potentially dependent on which +role is executing it. This could lead to later executions in the +same session returning or hiding rows that should have been hidden +or returned instead. + +Our thanks to Wolfgang Walther for reporting this problem. + +Stephen Frost and Tom Lane + +Security: CVE-2023-2455 +--- + src/backend/optimizer/util/clauses.c | 7 ++++++ + src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++ + src/test/regress/sql/rowsecurity.sql | 20 +++++++++++++++++ + 3 files changed, 54 insertions(+) + +diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c +index a9c7bc342e..11269fee3e 100644 +--- a/src/backend/optimizer/util/clauses.c ++++ b/src/backend/optimizer/util/clauses.c +@@ -5205,6 +5205,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte) + */ + record_plan_function_dependency(root, func_oid); + ++ /* ++ * We must also notice if the inserted query adds a dependency on the ++ * calling role due to RLS quals. ++ */ ++ if (querytree->hasRowSecurity) ++ root->glob->dependsOnRole = true; ++ + return querytree; + + /* Here if func is not inlinable: release temp memory and return NULL */ +diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out +index 38f53ed486..e278346420 100644 +--- a/src/test/regress/expected/rowsecurity.out ++++ b/src/test/regress/expected/rowsecurity.out +@@ -4427,6 +4427,33 @@ SELECT * FROM rls_tbl; + + DROP TABLE rls_tbl; + RESET SESSION AUTHORIZATION; ++-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency ++create table rls_t (c text); ++insert into rls_t values ('invisible to bob'); ++alter table rls_t enable row level security; ++grant select on rls_t to regress_rls_alice, regress_rls_bob; ++create policy p1 on rls_t for select to regress_rls_alice using (true); ++create policy p2 on rls_t for select to regress_rls_bob using (false); ++create function rls_f () returns setof rls_t ++ stable language sql ++ as $$ select * from rls_t $$; ++prepare q as select current_user, * from rls_f(); ++set role regress_rls_alice; ++execute q; ++ current_user | c ++-------------------+------------------ ++ regress_rls_alice | invisible to bob ++(1 row) ++ ++set role regress_rls_bob; ++execute q; ++ current_user | c ++--------------+--- ++(0 rows) ++ ++RESET ROLE; ++DROP FUNCTION rls_f(); ++DROP TABLE rls_t; + -- + -- Clean up objects + -- +diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql +index 0fd0cded7d..3d664538a6 100644 +--- a/src/test/regress/sql/rowsecurity.sql ++++ b/src/test/regress/sql/rowsecurity.sql +@@ -2127,6 +2127,26 @@ SELECT * FROM rls_tbl; + DROP TABLE rls_tbl; + RESET SESSION AUTHORIZATION; + ++-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency ++create table rls_t (c text); ++insert into rls_t values ('invisible to bob'); ++alter table rls_t enable row level security; ++grant select on rls_t to regress_rls_alice, regress_rls_bob; ++create policy p1 on rls_t for select to regress_rls_alice using (true); ++create policy p2 on rls_t for select to regress_rls_bob using (false); ++create function rls_f () returns setof rls_t ++ stable language sql ++ as $$ select * from rls_t $$; ++prepare q as select current_user, * from rls_f(); ++set role regress_rls_alice; ++execute q; ++set role regress_rls_bob; ++execute q; ++ ++RESET ROLE; ++DROP FUNCTION rls_f(); ++DROP TABLE rls_t; ++ + -- + -- Clean up objects + -- +-- +2.41.0 + diff --git a/postgresql.spec b/postgresql.spec index 2b4bf8c..e5c828a 100644 --- a/postgresql.spec +++ b/postgresql.spec @@ -59,7 +59,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 10 Version: %{majorversion}.23 -Release: 1%{?dist} +Release: 2%{?dist} # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -76,7 +76,7 @@ Url: http://www.postgresql.org/ %global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion} %global precise_version %{?epoch:%epoch:}%version-%release -%global setup_version 8.6 +%global setup_version 8.7 %global service_name postgresql.service Source0: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}.tar.bz2 @@ -108,6 +108,8 @@ Patch6: postgresql-man.patch Patch8: postgresql-no-libs.patch Patch9: postgresql-server-pg_config.patch Patch10: postgresql-10.15-contrib-dblink-expected-out.patch +Patch11: postgresql-10.23-CVE-2023-2454.patch +Patch12: postgresql-10.23-CVE-2023-2455.patch BuildRequires: gcc BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk @@ -367,6 +369,8 @@ benchmarks. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1171,6 +1175,11 @@ make -C postgresql-setup-%{setup_version} check %changelog +* Wed Jul 19 2023 Dominik Rehák - 10.23-2 +- Backport fixes for CVE-2023-2454 and CVE-2023-2455 +- Update postgresql-setup to 8.7 (https://github.com/devexp-db/postgresql-setup/pull/35) +- Resolves: #2207931 + * Wed Nov 16 2022 Filip Januš - 10.23-1 - Resolves: CVE-2022-2625 - Rebase to 10.23 diff --git a/sources b/sources old mode 100755 new mode 100644 index 75b2c19..21c1555 --- a/sources +++ b/sources @@ -2,5 +2,5 @@ SHA512 (postgresql-10.23.tar.bz2) = 9fd031cad0c3caacae105215167abd5dc4fdd15dea77 SHA512 (postgresql-10.23.tar.bz2.sha256) = 1b8f25bb914b9c87679ff688625889a96f2e0e836a9fd0f19dcdf4e74798d96980cb09cb485cff7069b9fe6b9d5c03e162eac9d0ecb205e8e3f0d83358f641d2 SHA512 (postgresql-9.2.24.tar.bz2) = a6f043e5ef5e12e23c1c43b26a5ecafce62f3a86f38b5b85e7cb0cb7aa376d40e460a526baf67ae40de40525e4744fb5e48650ee5e007db4ce9742fcf548bd56 SHA512 (postgresql-9.2.24.tar.bz2.sha256) = 04e5ce7b8a4f8ef281cd3f59e18f41974356e92775c459de61383ba6254d84cb21a7d3a3506ec5416fc3e5090535d5961d9cc7cbe04591217aa9b9e142418170 -SHA512 (postgresql-setup-8.6.tar.gz) = dc687670cd58070512833271d8f3e7e4308c47cba1ad4c93e3d5f61acf07f390ed048f4d7f1567d2826f19a253562e13e56407dcf81a42f42c61ac96d8fe3178 +SHA512 (postgresql-setup-8.7.tar.gz) = 741f036be517e7d9725e4f146ca7dac8b8a16b6a93d045a64ef268487f48faad6b08317b58e07ad16a31002d2a10de0ac32513a4935c3f22f48ec768a742d1fc SHA512 (postgresql-10.23-US.pdf) = 561a7a0ebe539e7f4d7dff890fa14ac0d61e3e5a1a96b99304208208460d9d4d037e2d74766ae071ecbf3ecb22cee24b06b73226c4eafb5c5bb51896cbf441eb