13.12

CVE-2021-23214.patch

@@ -1,108 +0,0 @@
-From e92ed93e8eb76ee0701b42d4f0ce94e6af3fc741 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Nov 2021 11:01:43 -0500
-Subject: [PATCH] Reject extraneous data after SSL or GSS encryption handshake.
-
-The server collects up to a bufferload of data whenever it reads data
-from the client socket.  When SSL or GSS encryption is requested
-during startup, any additional data received with the initial
-request message remained in the buffer, and would be treated as
-already-decrypted data once the encryption handshake completed.
-Thus, a man-in-the-middle with the ability to inject data into the
-TCP connection could stuff some cleartext data into the start of
-a supposedly encryption-protected database session.
-
-This could be abused to send faked SQL commands to the server,
-although that would only work if the server did not demand any
-authentication data.  (However, a server relying on SSL certificate
-authentication might well not do so.)
-
-To fix, throw a protocol-violation error if the internal buffer
-is not empty after the encryption handshake.
-
-Our thanks to Jacob Champion for reporting this problem.
-
-Security: CVE-2021-23214
----
- src/backend/libpq/pqcomm.c          | 12 ++++++++++++
- src/backend/postmaster/postmaster.c | 24 ++++++++++++++++++++++++
- src/include/libpq/libpq.h           |  1 +
- 3 files changed, 37 insertions(+)
-
-diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
-index ee2cd86866da..93f2e0b81d32 100644
---- a/src/backend/libpq/pqcomm.c
-+++ b/src/backend/libpq/pqcomm.c
-@@ -1183,6 +1183,18 @@ pq_getstring(StringInfo s)
- 	}
- }
- 
-+/* --------------------------------
-+ *		pq_buffer_has_data		- is any buffered data available to read?
-+ *
-+ * This will *not* attempt to read more data.
-+ * --------------------------------
-+ */
-+bool
-+pq_buffer_has_data(void)
-+{
-+	return (PqRecvPointer < PqRecvLength);
-+}
-+
- 
- /* --------------------------------
-  *		pq_startmsgread - begin reading a message from the client.
-diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
-index 5775fc0c0910..1e0936e5b482 100644
---- a/src/backend/postmaster/postmaster.c
-+++ b/src/backend/postmaster/postmaster.c
-@@ -2049,6 +2049,18 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
- 			return STATUS_ERROR;
- #endif
- 
-+		/*
-+		 * At this point we should have no data already buffered.  If we do,
-+		 * it was received before we performed the SSL handshake, so it wasn't
-+		 * encrypted and indeed may have been injected by a man-in-the-middle.
-+		 * We report this case to the client.
-+		 */
-+		if (pq_buffer_has_data())
-+			ereport(FATAL,
-+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
-+					 errmsg("received unencrypted data after SSL request"),
-+					 errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
-+
- 		/*
- 		 * regular startup packet, cancel, etc packet should follow, but not
- 		 * another SSL negotiation request, and a GSS request should only
-@@ -2081,6 +2093,18 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
- 			return STATUS_ERROR;
- #endif
- 
-+		/*
-+		 * At this point we should have no data already buffered.  If we do,
-+		 * it was received before we performed the GSS handshake, so it wasn't
-+		 * encrypted and indeed may have been injected by a man-in-the-middle.
-+		 * We report this case to the client.
-+		 */
-+		if (pq_buffer_has_data())
-+			ereport(FATAL,
-+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
-+					 errmsg("received unencrypted data after GSSAPI encryption request"),
-+					 errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
-+
- 		/*
- 		 * regular startup packet, cancel, etc packet should follow, but not
- 		 * another GSS negotiation request, and an SSL request should only
-diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
-index b1152475ace5..54c5fa779773 100644
---- a/src/include/libpq/libpq.h
-+++ b/src/include/libpq/libpq.h
-@@ -72,6 +72,7 @@ extern int	pq_getmessage(StringInfo s, int maxlen);
- extern int	pq_getbyte(void);
- extern int	pq_peekbyte(void);
- extern int	pq_getbyte_if_available(unsigned char *c);
-+extern bool pq_buffer_has_data(void);
- extern int	pq_putbytes(const char *s, size_t len);
- 
- /*

CVE-2021-23222.patch

@@ -1,123 +0,0 @@
-From 844b3169204c28cd086c1b4fae4a2cbdd0540640 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Nov 2021 11:14:56 -0500
-Subject: [PATCH] libpq: reject extraneous data after SSL or GSS encryption
- handshake.
-
-libpq collects up to a bufferload of data whenever it reads data from
-the socket.  When SSL or GSS encryption is requested during startup,
-any additional data received with the server's yes-or-no reply
-remained in the buffer, and would be treated as already-decrypted data
-once the encryption handshake completed.  Thus, a man-in-the-middle
-with the ability to inject data into the TCP connection could stuff
-some cleartext data into the start of a supposedly encryption-protected
-database session.
-
-This could probably be abused to inject faked responses to the
-client's first few queries, although other details of libpq's behavior
-make that harder than it sounds.  A different line of attack is to
-exfiltrate the client's password, or other sensitive data that might
-be sent early in the session.  That has been shown to be possible with
-a server vulnerable to CVE-2021-23214.
-
-To fix, throw a protocol-violation error if the internal buffer
-is not empty after the encryption handshake.
-
-Our thanks to Jacob Champion for reporting this problem.
-
-Security: CVE-2021-23222
----
- doc/src/sgml/protocol.sgml        | 28 ++++++++++++++++++++++++++++
- src/interfaces/libpq/fe-connect.c | 26 ++++++++++++++++++++++++++
- 2 files changed, 54 insertions(+)
-
-diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
-index e26619e1b53d..b692648fca47 100644
---- a/doc/src/sgml/protocol.sgml
-+++ b/doc/src/sgml/protocol.sgml
-@@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional -->
-     and proceed without requesting <acronym>SSL</acronym>.
-    </para>
- 
-+   <para>
-+    When <acronym>SSL</acronym> encryption can be performed, the server
-+    is expected to send only the single <literal>S</literal> byte and then
-+    wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
-+    If additional bytes are available to read at this point, it likely
-+    means that a man-in-the-middle is attempting to perform a
-+    buffer-stuffing attack
-+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
-+    Frontends should be coded either to read exactly one byte from the
-+    socket before turning the socket over to their SSL library, or to
-+    treat it as a protocol violation if they find they have read additional
-+    bytes.
-+   </para>
-+
-    <para>
-     An initial SSLRequest can also be used in a connection that is being
-     opened to send a CancelRequest message.
-@@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional -->
-     encryption.
-    </para>
- 
-+   <para>
-+    When <acronym>GSSAPI</acronym> encryption can be performed, the server
-+    is expected to send only the single <literal>G</literal> byte and then
-+    wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
-+    If additional bytes are available to read at this point, it likely
-+    means that a man-in-the-middle is attempting to perform a
-+    buffer-stuffing attack
-+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
-+    Frontends should be coded either to read exactly one byte from the
-+    socket before turning the socket over to their GSSAPI library, or to
-+    treat it as a protocol violation if they find they have read additional
-+    bytes.
-+   </para>
-+
-    <para>
-     An initial GSSENCRequest can also be used in a connection that is being
-     opened to send a CancelRequest message.
-diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
-index f80f4e98d8e0..57aee9518308 100644
---- a/src/interfaces/libpq/fe-connect.c
-+++ b/src/interfaces/libpq/fe-connect.c
-@@ -3076,6 +3076,19 @@ PQconnectPoll(PGconn *conn)
- 				pollres = pqsecure_open_client(conn);
- 				if (pollres == PGRES_POLLING_OK)
- 				{
-+					/*
-+					 * At this point we should have no data already buffered.
-+					 * If we do, it was received before we performed the SSL
-+					 * handshake, so it wasn't encrypted and indeed may have
-+					 * been injected by a man-in-the-middle.
-+					 */
-+					if (conn->inCursor != conn->inEnd)
-+					{
-+						appendPQExpBufferStr(&conn->errorMessage,
-+											 libpq_gettext("received unencrypted data after SSL response\n"));
-+						goto error_return;
-+					}
-+
- 					/* SSL handshake done, ready to send startup packet */
- 					conn->status = CONNECTION_MADE;
- 					return PGRES_POLLING_WRITING;
-@@ -3175,6 +3188,19 @@ PQconnectPoll(PGconn *conn)
- 				pollres = pqsecure_open_gss(conn);
- 				if (pollres == PGRES_POLLING_OK)
- 				{
-+					/*
-+					 * At this point we should have no data already buffered.
-+					 * If we do, it was received before we performed the GSS
-+					 * handshake, so it wasn't encrypted and indeed may have
-+					 * been injected by a man-in-the-middle.
-+					 */
-+					if (conn->inCursor != conn->inEnd)
-+					{
-+						appendPQExpBufferStr(&conn->errorMessage,
-+											 libpq_gettext("received unencrypted data after GSSAPI encryption response\n"));
-+						goto error_return;
-+					}
-+
- 					/* All set for startup packet */
- 					conn->status = CONNECTION_MADE;
- 					return PGRES_POLLING_WRITING;

postgresql-12.16.tar.bz2.sha256

@@ -0,0 +1 @@
+c5f1fff7a0f93e1ec3746417b0594290ece617b4995ed95b8d527af0ba0e38f3  postgresql-12.16.tar.bz2

postgresql-12.7.tar.bz2.sha256

@@ -1 +0,0 @@
-8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995  postgresql-12.7.tar.bz2

postgresql-13.12.tar.bz2.sha256

@@ -0,0 +1 @@
+0da1edcee3514b7bc7ba6dbaf0c00499e8ac1590668e8789c50253a6249f218b  postgresql-13.12.tar.bz2

postgresql-13.3.tar.bz2.sha256

@@ -1 +0,0 @@
-3cd9454fa8c7a6255b6743b767700925ead1b9ab0d7a0f9dcb1151010f8eb4a1  postgresql-13.3.tar.bz2

postgresql-pgcrypto-openssl3-tests.patch

@@ -0,0 +1,102 @@
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out	2021-09-01 08:16:48.138600886 -0400
+@@ -4,20 +4,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+- pgp_sym_decrypt 
+------------------
+- Secret message.
+-(1 row)
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-09-01 08:05:27.750172653 -0400
+@@ -594,13 +594,6 @@
+ (1 row)
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+- pgp_pub_decrypt 
+------------------
+- Secret msg
+-(1 row)
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+  pgp_pub_decrypt 
+ -----------------
+diff -ur postgresql-13.4/contrib/pgcrypto/Makefile postgresql-13.4.patched/contrib/pgcrypto/Makefile
+--- postgresql-13.4/contrib/pgcrypto/Makefile	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/Makefile	2021-09-01 08:26:47.207164873 -0400
+@@ -5,7 +5,7 @@
+ INT_TESTS = sha2
+ 
+ OSSL_SRCS = openssl.c pgp-mpi-openssl.c
+-OSSL_TESTS = sha2 des 3des cast5
++OSSL_TESTS = sha2
+ 
+ ZLIB_TST = pgp-compression
+ ZLIB_OFF_TST = pgp-zlib-DISABLED
+@@ -49,12 +49,13 @@
+ 	pgcrypto--1.0--1.1.sql
+ PGFILEDESC = "pgcrypto - cryptographic functions"
+ 
+-REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
++REGRESS = init md5 sha1 hmac-md5 hmac-sha1 rijndael \
+ 	$(CF_TESTS) \
+-	crypt-des crypt-md5 crypt-blowfish crypt-xdes \
++	crypt-md5 \
+ 	pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \
+ 	pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info
+ 
++#REGRESS = init pgp-pubkey-decrypt pgp-decrypt \
+ EXTRA_CLEAN = gen-rtab
+ 
+ ifdef USE_PGXS
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-09-01 08:16:12.525212175 -0400
+@@ -5,16 +5,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-09-01 08:06:18.963732342 -0400
+@@ -606,9 +606,6 @@
+ from keytbl, encdata where keytbl.id=1 and encdata.id=1;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))

postgresql.spec

@@ -1,6 +1,6 @@
 %{!?beta:%global beta 0}
 %{!?test:%global test 1}
-%ifarch riscv64
+%ifarch riscv64 loongarch64
 # Fail to pass tests on riscv64
 %{!?llvmjit:%global llvmjit 0}
 %else
@@ -35,8 +35,8 @@
 Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 13
-Version: %{majorversion}.3
+Version: %{majorversion}.12
-Release: 7
+Release: 1
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -44,7 +44,7 @@ License: PostgreSQL
 Url: http://www.postgresql.org/
 
 %global prevmajorversion 12
-%global prevversion %{prevmajorversion}.7
+%global prevversion %{prevmajorversion}.16
 %global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
 %global precise_version %{?epoch:%epoch:}%version-%release
 
@@ -80,10 +80,10 @@ Patch8: postgresql-external-libpq.patch
 Patch9: postgresql-server-pg_config.patch
 Patch10: postgresql-no-libecpg.patch
 Patch11: postgresql-datalayout-mismatch-on-s390.patch
-Patch12: CVE-2021-23214.patch
-Patch13: CVE-2021-23222.patch
 Patch14: postgresql-subtransaction-test.patch
 Patch15: postgresql-13.3-sw.patch
+Patch17: postgresql-pgcrypto-openssl3-tests.patch
+
 
 BuildRequires: gcc
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@@ -163,6 +163,36 @@ PostgreSQL server, or on a remote machine that accesses a PostgreSQL server
 over a network connection.  The PostgreSQL server can be found in the
 postgresql-server sub-package.
 
+%if ! %external_libpq
+%package private-libs
+Summary: The shared libraries required only for this build of PostgreSQL server
+Group: Applications/Databases
+# for /sbin/ldconfig
+Requires(post): glibc
+Requires(postun): glibc
+
+%description private-libs
+The postgresql-private-libs package provides the shared libraries for this
+build of PostgreSQL server and plugins build with this version of server.
+For shared libraries used by client packages that need to connect to a
+PostgreSQL server, install libpq package instead.
+
+
+%package private-devel
+Summary: PostgreSQL development header files for this build of PostgreSQL server
+Group: Development/Libraries
+Requires: %{name}-private-libs%{?_isa} = %precise_version
+# Conflict is desired here, a user must pick one or another
+Conflicts: libpq-devel
+
+%description private-devel
+The postgresql-private-devel package contains the header files and libraries
+needed to compile C or C++ applications which will directly interact
+with a PostgreSQL database management server.
+You need to install this package if you want to develop applications which
+will interact with a PostgreSQL server.
+%endif
+
 
 %package server
 Summary: The programs needed to create and run a PostgreSQL server
@@ -345,23 +375,21 @@ goal of accelerating analytics queries.
 %endif
 )
 %setup -q -a 12 -n postgresql-%{version}
-%patch1 -p1
+%patch -P 1 -p1
-%patch2 -p1
+%patch -P 2 -p1
-%patch5 -p1
+%patch -P 5 -p1
-%patch6 -p1
+%patch -P 6 -p1
 %if %external_libpq
-%patch8 -p1
+%patch -P 8 -p1
 %else
-%patch10 -p1
+%patch -P 10 -p1
 %endif
-%patch9 -p1
+%patch -P 9 -p1
-%patch11 -p1
+%patch -P 11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
 %ifarch sw_64
-%patch15 -p1
+%patch -P 15 -p1
 %endif
+%patch -P 17 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -428,7 +456,7 @@ export CFLAGS
 # since that's still considered the default plpython version.
 common_configure_options='
         --disable-rpath
-%ifarch riscv64
+%ifarch riscv64 loongarch64
         --disable-spinlocks
 %endif
 %if %beta
@@ -620,7 +648,7 @@ upgrade_configure ()
                 --host=%{_host} \
                 --prefix=%prev_prefix \
                 --disable-rpath \
-%ifarch riscv64
+%ifarch riscv64 loongarch64
                 --disable-spinlocks \
 %endif
 %if %beta
@@ -690,6 +718,16 @@ make DESTDIR=$RPM_BUILD_ROOT install-world
 
 # We ship pg_config through libpq-devel
 mv $RPM_BUILD_ROOT/%_mandir/man1/pg_{,server_}config.1
+%if %external_libpq
+rm $RPM_BUILD_ROOT/%_includedir/pg_config*.h
+rm $RPM_BUILD_ROOT/%_includedir/libpq/libpq-fs.h
+rm $RPM_BUILD_ROOT/%_includedir/postgres_ext.h
+rm -r $RPM_BUILD_ROOT/%_includedir/pgsql/internal/
+%else
+ln -s pg_server_config $RPM_BUILD_ROOT/%_bindir/pg_config
+rm $RPM_BUILD_ROOT/%{_libdir}/libpq.a
+%endif
+
 
 %if %plpython3
         mv src/Makefile.global src/Makefile.global.save
@@ -1163,14 +1201,29 @@ make -C postgresql-setup-%{setup_version} check
 %dir %{_includedir}/pgsql
 %{_includedir}/pgsql/server
 %{_libdir}/pgsql/pgxs/
-%{_includedir}/*
-%{_libdir}/{pgsql/pgxs/,pkgconfig/*.pc}
-%{_libdir}/{libecpg,libecpg_compat,libpgtypes,libpq}.so*
-%{_libdir}/libpq.a
 %{_mandir}/man1/pg_server_config.*
 %{_mandir}/man3/SPI_*
 %{macrosdir}/macros.%name
 
+%if ! %external_libpq
+%files private-libs
+%{_libdir}/libpq.so.*
+%endif
+
+%if ! %external_libpq
+%files private-devel
+%{_bindir}/pg_config
+%{_includedir}/libpq-events.h
+%{_includedir}/libpq-fe.h
+%{_includedir}/postgres_ext.h
+%{_includedir}/pgsql/internal/*.h
+%{_includedir}/pgsql/internal/libpq/pqcomm.h
+%{_includedir}/libpq/*.h
+%{_libdir}/pkgconfig/*.pc
+%{_libdir}/libpq.so
+%{_includedir}/pg_config*.h
+%endif
+
 
 %files test-rpm-macros
 %{_datadir}/postgresql-setup/postgresql_pkg_tests.sh
@@ -1248,6 +1301,17 @@ make -C postgresql-setup-%{setup_version} check
 
 
 %changelog
+* Fri Aug 11 2023 Funda Wang <fundawang@yeah.net> - 13.12-1
+- New version 13.12
+
+* Fri Jun  9 2023 dillon chen <dillon.chen@gmail.com> - 13.3-8
+- Fix build error for loongarch64
+- Fix issue: confilct between libpq-devel and postgresql-devel
+- guess init spec from redhat
+- change redhat spec:rm private package and add files to server-devel
+- so add delete lines to Fix issue
+- Next: write oe libpq and postgresql spec by myself
+
 * Tue Oct 25 2022 wuzx<wuzx1226@qq.com> - 13.3-7
 - Add sw64 architecture