!103 update to 13.13

From: @dillon_chen 
Reviewed-by: @zhengzhenyu 
Signed-off-by: @zhengzhenyu

CVE-2021-23214.patch

@@ -1,108 +0,0 @@
-From e92ed93e8eb76ee0701b42d4f0ce94e6af3fc741 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Nov 2021 11:01:43 -0500
-Subject: [PATCH] Reject extraneous data after SSL or GSS encryption handshake.
-
-The server collects up to a bufferload of data whenever it reads data
-from the client socket.  When SSL or GSS encryption is requested
-during startup, any additional data received with the initial
-request message remained in the buffer, and would be treated as
-already-decrypted data once the encryption handshake completed.
-Thus, a man-in-the-middle with the ability to inject data into the
-TCP connection could stuff some cleartext data into the start of
-a supposedly encryption-protected database session.
-
-This could be abused to send faked SQL commands to the server,
-although that would only work if the server did not demand any
-authentication data.  (However, a server relying on SSL certificate
-authentication might well not do so.)
-
-To fix, throw a protocol-violation error if the internal buffer
-is not empty after the encryption handshake.
-
-Our thanks to Jacob Champion for reporting this problem.
-
-Security: CVE-2021-23214
----
- src/backend/libpq/pqcomm.c          | 12 ++++++++++++
- src/backend/postmaster/postmaster.c | 24 ++++++++++++++++++++++++
- src/include/libpq/libpq.h           |  1 +
- 3 files changed, 37 insertions(+)
-
-diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
-index ee2cd86866da..93f2e0b81d32 100644
---- a/src/backend/libpq/pqcomm.c
-+++ b/src/backend/libpq/pqcomm.c
-@@ -1183,6 +1183,18 @@ pq_getstring(StringInfo s)
- 	}
- }
- 
-+/* --------------------------------
-+ *		pq_buffer_has_data		- is any buffered data available to read?
-+ *
-+ * This will *not* attempt to read more data.
-+ * --------------------------------
-+ */
-+bool
-+pq_buffer_has_data(void)
-+{
-+	return (PqRecvPointer < PqRecvLength);
-+}
-+
- 
- /* --------------------------------
-  *		pq_startmsgread - begin reading a message from the client.
-diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
-index 5775fc0c0910..1e0936e5b482 100644
---- a/src/backend/postmaster/postmaster.c
-+++ b/src/backend/postmaster/postmaster.c
-@@ -2049,6 +2049,18 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
- 			return STATUS_ERROR;
- #endif
- 
-+		/*
-+		 * At this point we should have no data already buffered.  If we do,
-+		 * it was received before we performed the SSL handshake, so it wasn't
-+		 * encrypted and indeed may have been injected by a man-in-the-middle.
-+		 * We report this case to the client.
-+		 */
-+		if (pq_buffer_has_data())
-+			ereport(FATAL,
-+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
-+					 errmsg("received unencrypted data after SSL request"),
-+					 errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
-+
- 		/*
- 		 * regular startup packet, cancel, etc packet should follow, but not
- 		 * another SSL negotiation request, and a GSS request should only
-@@ -2081,6 +2093,18 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
- 			return STATUS_ERROR;
- #endif
- 
-+		/*
-+		 * At this point we should have no data already buffered.  If we do,
-+		 * it was received before we performed the GSS handshake, so it wasn't
-+		 * encrypted and indeed may have been injected by a man-in-the-middle.
-+		 * We report this case to the client.
-+		 */
-+		if (pq_buffer_has_data())
-+			ereport(FATAL,
-+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
-+					 errmsg("received unencrypted data after GSSAPI encryption request"),
-+					 errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
-+
- 		/*
- 		 * regular startup packet, cancel, etc packet should follow, but not
- 		 * another GSS negotiation request, and an SSL request should only
-diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
-index b1152475ace5..54c5fa779773 100644
---- a/src/include/libpq/libpq.h
-+++ b/src/include/libpq/libpq.h
-@@ -72,6 +72,7 @@ extern int	pq_getmessage(StringInfo s, int maxlen);
- extern int	pq_getbyte(void);
- extern int	pq_peekbyte(void);
- extern int	pq_getbyte_if_available(unsigned char *c);
-+extern bool pq_buffer_has_data(void);
- extern int	pq_putbytes(const char *s, size_t len);
- 
- /*

CVE-2021-23222.patch

@@ -1,123 +0,0 @@
-From 844b3169204c28cd086c1b4fae4a2cbdd0540640 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Nov 2021 11:14:56 -0500
-Subject: [PATCH] libpq: reject extraneous data after SSL or GSS encryption
- handshake.
-
-libpq collects up to a bufferload of data whenever it reads data from
-the socket.  When SSL or GSS encryption is requested during startup,
-any additional data received with the server's yes-or-no reply
-remained in the buffer, and would be treated as already-decrypted data
-once the encryption handshake completed.  Thus, a man-in-the-middle
-with the ability to inject data into the TCP connection could stuff
-some cleartext data into the start of a supposedly encryption-protected
-database session.
-
-This could probably be abused to inject faked responses to the
-client's first few queries, although other details of libpq's behavior
-make that harder than it sounds.  A different line of attack is to
-exfiltrate the client's password, or other sensitive data that might
-be sent early in the session.  That has been shown to be possible with
-a server vulnerable to CVE-2021-23214.
-
-To fix, throw a protocol-violation error if the internal buffer
-is not empty after the encryption handshake.
-
-Our thanks to Jacob Champion for reporting this problem.
-
-Security: CVE-2021-23222
----
- doc/src/sgml/protocol.sgml        | 28 ++++++++++++++++++++++++++++
- src/interfaces/libpq/fe-connect.c | 26 ++++++++++++++++++++++++++
- 2 files changed, 54 insertions(+)
-
-diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
-index e26619e1b53d..b692648fca47 100644
---- a/doc/src/sgml/protocol.sgml
-+++ b/doc/src/sgml/protocol.sgml
-@@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional -->
-     and proceed without requesting <acronym>SSL</acronym>.
-    </para>
- 
-+   <para>
-+    When <acronym>SSL</acronym> encryption can be performed, the server
-+    is expected to send only the single <literal>S</literal> byte and then
-+    wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
-+    If additional bytes are available to read at this point, it likely
-+    means that a man-in-the-middle is attempting to perform a
-+    buffer-stuffing attack
-+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
-+    Frontends should be coded either to read exactly one byte from the
-+    socket before turning the socket over to their SSL library, or to
-+    treat it as a protocol violation if they find they have read additional
-+    bytes.
-+   </para>
-+
-    <para>
-     An initial SSLRequest can also be used in a connection that is being
-     opened to send a CancelRequest message.
-@@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional -->
-     encryption.
-    </para>
- 
-+   <para>
-+    When <acronym>GSSAPI</acronym> encryption can be performed, the server
-+    is expected to send only the single <literal>G</literal> byte and then
-+    wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
-+    If additional bytes are available to read at this point, it likely
-+    means that a man-in-the-middle is attempting to perform a
-+    buffer-stuffing attack
-+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
-+    Frontends should be coded either to read exactly one byte from the
-+    socket before turning the socket over to their GSSAPI library, or to
-+    treat it as a protocol violation if they find they have read additional
-+    bytes.
-+   </para>
-+
-    <para>
-     An initial GSSENCRequest can also be used in a connection that is being
-     opened to send a CancelRequest message.
-diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
-index f80f4e98d8e0..57aee9518308 100644
---- a/src/interfaces/libpq/fe-connect.c
-+++ b/src/interfaces/libpq/fe-connect.c
-@@ -3076,6 +3076,19 @@ PQconnectPoll(PGconn *conn)
- 				pollres = pqsecure_open_client(conn);
- 				if (pollres == PGRES_POLLING_OK)
- 				{
-+					/*
-+					 * At this point we should have no data already buffered.
-+					 * If we do, it was received before we performed the SSL
-+					 * handshake, so it wasn't encrypted and indeed may have
-+					 * been injected by a man-in-the-middle.
-+					 */
-+					if (conn->inCursor != conn->inEnd)
-+					{
-+						appendPQExpBufferStr(&conn->errorMessage,
-+											 libpq_gettext("received unencrypted data after SSL response\n"));
-+						goto error_return;
-+					}
-+
- 					/* SSL handshake done, ready to send startup packet */
- 					conn->status = CONNECTION_MADE;
- 					return PGRES_POLLING_WRITING;
-@@ -3175,6 +3188,19 @@ PQconnectPoll(PGconn *conn)
- 				pollres = pqsecure_open_gss(conn);
- 				if (pollres == PGRES_POLLING_OK)
- 				{
-+					/*
-+					 * At this point we should have no data already buffered.
-+					 * If we do, it was received before we performed the GSS
-+					 * handshake, so it wasn't encrypted and indeed may have
-+					 * been injected by a man-in-the-middle.
-+					 */
-+					if (conn->inCursor != conn->inEnd)
-+					{
-+						appendPQExpBufferStr(&conn->errorMessage,
-+											 libpq_gettext("received unencrypted data after GSSAPI encryption response\n"));
-+						goto error_return;
-+					}
-+
- 					/* All set for startup packet */
- 					conn->status = CONNECTION_MADE;
- 					return PGRES_POLLING_WRITING;

postgresql-12.16.tar.bz2.sha256

@@ -0,0 +1 @@
+c5f1fff7a0f93e1ec3746417b0594290ece617b4995ed95b8d527af0ba0e38f3  postgresql-12.16.tar.bz2

postgresql-12.7.tar.bz2.sha256

@@ -1 +0,0 @@
-8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995  postgresql-12.7.tar.bz2

postgresql-13.13.tar.bz2.sha256

@@ -0,0 +1 @@
+8af69c2599047a2ad246567d68ec4131aef116954d8c3e469e9789080b37a474  postgresql-13.13.tar.bz2

postgresql-13.3-sw.patch

@@ -0,0 +1,66 @@
+diff -Naur postgresql-13.3.org/contrib/pgcrypto/crypt-blowfish.c postgresql-13.3.sw/contrib/pgcrypto/crypt-blowfish.c
+--- postgresql-13.3.org/contrib/pgcrypto/crypt-blowfish.c	2022-09-16 11:31:15.100000000 +0800
++++ postgresql-13.3.sw/contrib/pgcrypto/crypt-blowfish.c	2022-09-16 11:32:01.060000000 +0800
+@@ -41,7 +41,7 @@
+ #ifdef __i386__
+ #define BF_ASM				0	/* 1 */
+ #define BF_SCALE			1
+-#elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__)
++#elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__) || defined(__sw_64__)
+ #define BF_ASM				0
+ #define BF_SCALE			1
+ #else
+diff -Naur postgresql-13.3.org/src/include/port/atomics/arch-sw_64.h postgresql-13.3.sw/src/include/port/atomics/arch-sw_64.h
+--- postgresql-13.3.org/src/include/port/atomics/arch-sw_64.h	1970-01-01 08:00:00.000000000 +0800
++++ postgresql-13.3.sw/src/include/port/atomics/arch-sw_64.h	2022-09-16 13:37:10.630000000 +0800
+@@ -0,0 +1,26 @@
++/*-------------------------------------------------------------------------
++ *
++ * arch-arm.h
++ *	  Atomic operations considerations specific to ARM
++ *
++ * Portions Copyright (c) 2013-2020, PostgreSQL Global Development Group
++ *
++ * NOTES:
++ *
++ * src/include/port/atomics/arch-arm.h
++ *
++ *-------------------------------------------------------------------------
++ */
++
++/* intentionally no include guards, should only be included by atomics.h */
++#ifndef INSIDE_ATOMICS_H
++#error "should be included via atomics.h"
++#endif
++
++/*
++ * 64 bit atomics on ARM32 are implemented using kernel fallbacks and thus
++ * might be slow, so disable entirely. On ARM64 that problem doesn't exist.
++ */
++#if !defined(_sw_64__) 
++#define PG_DISABLE_64_BIT_ATOMICS
++#endif  /* __sw_64__ || __sw_64 */
+diff -Naur postgresql-13.3.org/src/include/port/atomics.h postgresql-13.3.sw/src/include/port/atomics.h
+--- postgresql-13.3.org/src/include/port/atomics.h	2022-09-16 11:31:15.640000000 +0800
++++ postgresql-13.3.sw/src/include/port/atomics.h	2022-09-16 13:36:15.370000000 +0800
+@@ -68,6 +68,8 @@
+ #include "port/atomics/arch-arm.h"
+ #elif defined(__i386__) || defined(__i386) || defined(__x86_64__)
+ #include "port/atomics/arch-x86.h"
++#elif defined(__sw_64__)
++#include "port/atomics/arch-sw_64.h"
+ #elif defined(__ia64__) || defined(__ia64)
+ #include "port/atomics/arch-ia64.h"
+ #elif defined(__ppc__) || defined(__powerpc__) || defined(__ppc64__) || defined(__powerpc64__)
+diff -Naur postgresql-13.3.org/src/include/storage/s_lock.h postgresql-13.3.sw/src/include/storage/s_lock.h
+--- postgresql-13.3.org/src/include/storage/s_lock.h	2022-09-16 11:31:15.560000000 +0800
++++ postgresql-13.3.sw/src/include/storage/s_lock.h	2022-09-16 11:43:30.940000000 +0800
+@@ -320,7 +320,7 @@
+  * We use the int-width variant of the builtin because it works on more chips
+  * than other widths.
+  */
+-#if defined(__arm__) || defined(__arm) || defined(__aarch64__) || defined(__aarch64)
++#if defined(__arm__) || defined(__arm) || defined(__aarch64__) || defined(__aarch64) || defined(__sw_64__) || defined(__sw_64)
+ #ifdef HAVE_GCC__SYNC_INT32_TAS
+ #define HAS_TEST_AND_SET
+ 

postgresql-13.3.tar.bz2.sha256

@@ -1 +0,0 @@
-3cd9454fa8c7a6255b6743b767700925ead1b9ab0d7a0f9dcb1151010f8eb4a1  postgresql-13.3.tar.bz2

postgresql-pgcrypto-openssl3-tests.patch

@@ -0,0 +1,102 @@
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out	2021-09-01 08:16:48.138600886 -0400
+@@ -4,20 +4,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+- pgp_sym_decrypt 
+------------------
+- Secret message.
+-(1 row)
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
+--- postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out	2021-09-01 08:05:27.750172653 -0400
+@@ -594,13 +594,6 @@
+ (1 row)
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+- pgp_pub_decrypt 
+------------------
+- Secret msg
+-(1 row)
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+  pgp_pub_decrypt 
+ -----------------
+diff -ur postgresql-13.4/contrib/pgcrypto/Makefile postgresql-13.4.patched/contrib/pgcrypto/Makefile
+--- postgresql-13.4/contrib/pgcrypto/Makefile	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/Makefile	2021-09-01 08:26:47.207164873 -0400
+@@ -5,7 +5,7 @@
+ INT_TESTS = sha2
+ 
+ OSSL_SRCS = openssl.c pgp-mpi-openssl.c
+-OSSL_TESTS = sha2 des 3des cast5
++OSSL_TESTS = sha2
+ 
+ ZLIB_TST = pgp-compression
+ ZLIB_OFF_TST = pgp-zlib-DISABLED
+@@ -49,12 +49,13 @@
+ 	pgcrypto--1.0--1.1.sql
+ PGFILEDESC = "pgcrypto - cryptographic functions"
+ 
+-REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
++REGRESS = init md5 sha1 hmac-md5 hmac-sha1 rijndael \
+ 	$(CF_TESTS) \
+-	crypt-des crypt-md5 crypt-blowfish crypt-xdes \
++	crypt-md5 \
+ 	pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \
+ 	pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info
+ 
++#REGRESS = init pgp-pubkey-decrypt pgp-decrypt \
+ EXTRA_CLEAN = gen-rtab
+ 
+ ifdef USE_PGXS
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql	2021-09-01 08:16:12.525212175 -0400
+@@ -5,16 +5,6 @@
+ --  Checking ciphers
+ select pgp_sym_decrypt(dearmor('
+ -----BEGIN PGP MESSAGE-----
+-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
+-
+-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
+-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
+-=JcP+
+------END PGP MESSAGE-----
+-'), 'foobar');
+-
+-select pgp_sym_decrypt(dearmor('
+------BEGIN PGP MESSAGE-----
+ Comment: dat1.aes.sha1.mdc.s2k3.z0
+ 
+ jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
+diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
+--- postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-08-09 16:49:05.000000000 -0400
++++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql	2021-09-01 08:06:18.963732342 -0400
+@@ -606,9 +606,6 @@
+ from keytbl, encdata where keytbl.id=1 and encdata.id=1;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
+-
+-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
+ from keytbl, encdata where keytbl.id=3 and encdata.id=3;
+ 
+ select pgp_pub_decrypt(dearmor(data), dearmor(seckey))

postgresql-subtransaction-test.patch

@@ -0,0 +1,56 @@
+Fix subtransaction test for Python 3.10
+
+Starting with Python 3.10, the stacktrace looks differently:
+  -  PL/Python function "subtransaction_exit_subtransaction_in_with", line 3, in <module>
+  -    s.__exit__(None, None, None)
+  +  PL/Python function "subtransaction_exit_subtransaction_in_with", line 2, in <module>
+  +    with plpy.subtransaction() as s:
+Using try/except specifically makes the error look always the same.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1959080
+
+diff -up postgresql-13.2/src/pl/plpython/expected/plpython_subtransaction.out.patchnew postgresql-13.2/src/pl/plpython/expected/plpython_subtransaction.out
+--- postgresql-13.2/src/pl/plpython/expected/plpython_subtransaction.out.patchnew	2021-02-08 22:54:11.000000000 +0100
++++ postgresql-13.2/src/pl/plpython/expected/plpython_subtransaction.out	2021-05-11 21:04:25.085586012 +0200
+@@ -171,8 +171,11 @@ with plpy.subtransaction() as s:
+ $$ LANGUAGE plpythonu;
+ CREATE FUNCTION subtransaction_exit_subtransaction_in_with() RETURNS void
+ AS $$
+-with plpy.subtransaction() as s:
+-    s.__exit__(None, None, None)
++try:
++    with plpy.subtransaction() as s:
++        s.__exit__(None, None, None)
++except ValueError as e:
++    raise ValueError(e)
+ $$ LANGUAGE plpythonu;
+ SELECT subtransaction_exit_without_enter();
+ ERROR:  ValueError: this subtransaction has not been entered
+@@ -224,8 +227,8 @@ PL/Python function "subtransaction_enter
+ SELECT subtransaction_exit_subtransaction_in_with();
+ ERROR:  ValueError: this subtransaction has already been exited
+ CONTEXT:  Traceback (most recent call last):
+-  PL/Python function "subtransaction_exit_subtransaction_in_with", line 3, in <module>
+-    s.__exit__(None, None, None)
++  PL/Python function "subtransaction_exit_subtransaction_in_with", line 6, in <module>
++    raise ValueError(e)
+ PL/Python function "subtransaction_exit_subtransaction_in_with"
+ -- Make sure we don't get a "current transaction is aborted" error
+ SELECT 1 as test;
+diff -up postgresql-13.2/src/pl/plpython/sql/plpython_subtransaction.sql.patchnew postgresql-13.2/src/pl/plpython/sql/plpython_subtransaction.sql
+--- postgresql-13.2/src/pl/plpython/sql/plpython_subtransaction.sql.patchnew	2021-02-08 22:54:11.000000000 +0100
++++ postgresql-13.2/src/pl/plpython/sql/plpython_subtransaction.sql	2021-05-11 21:02:34.386415376 +0200
+@@ -121,8 +121,11 @@ $$ LANGUAGE plpythonu;
+ 
+ CREATE FUNCTION subtransaction_exit_subtransaction_in_with() RETURNS void
+ AS $$
+-with plpy.subtransaction() as s:
+-    s.__exit__(None, None, None)
++try:
++    with plpy.subtransaction() as s:
++        s.__exit__(None, None, None)
++except ValueError as e:
++    raise ValueError(e)
+ $$ LANGUAGE plpythonu;
+ 
+ SELECT subtransaction_exit_without_enter();

postgresql.spec

@@ -1,6 +1,6 @@
 %{!?beta:%global beta 0}
 %{!?test:%global test 1}
-%ifarch riscv64
+%ifarch riscv64 loongarch64
 # Fail to pass tests on riscv64
 %{!?llvmjit:%global llvmjit 0}
 %else
@@ -22,7 +22,11 @@
 %{!?pam:%global pam 1}
 %{!?sdt:%global sdt 1}
 %{!?selinux:%global selinux 1}
+%ifarch sw_64
+%{!?runselftest:%global runselftest 0}
+%else
 %{!?runselftest:%global runselftest 1}
+%endif
 
 %global _default_patch_flags --no-backup-if-mismatch
 
@@ -31,8 +35,8 @@
 Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 13
-Version: %{majorversion}.3
-Release: 5
+Version: %{majorversion}.13
+Release: 1
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -40,11 +44,11 @@ License: PostgreSQL
 Url: http://www.postgresql.org/
 
 %global prevmajorversion 12
-%global prevversion %{prevmajorversion}.7
+%global prevversion %{prevmajorversion}.16
 %global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
 %global precise_version %{?epoch:%epoch:}%version-%release
 
-%global setup_version 8.5
+%global setup_version 8.7
 
 %global service_name postgresql.service
 
@@ -76,8 +80,10 @@ Patch8: postgresql-external-libpq.patch
 Patch9: postgresql-server-pg_config.patch
 Patch10: postgresql-no-libecpg.patch
 Patch11: postgresql-datalayout-mismatch-on-s390.patch
-Patch12: CVE-2021-23214.patch
-Patch13: CVE-2021-23222.patch
+Patch14: postgresql-subtransaction-test.patch
+Patch15: postgresql-13.3-sw.patch
+Patch17: postgresql-pgcrypto-openssl3-tests.patch
+
 
 BuildRequires: gcc
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@@ -157,6 +163,36 @@ PostgreSQL server, or on a remote machine that accesses a PostgreSQL server
 over a network connection.  The PostgreSQL server can be found in the
 postgresql-server sub-package.
 
+%if ! %external_libpq
+%package private-libs
+Summary: The shared libraries required only for this build of PostgreSQL server
+Group: Applications/Databases
+# for /sbin/ldconfig
+Requires(post): glibc
+Requires(postun): glibc
+
+%description private-libs
+The postgresql-private-libs package provides the shared libraries for this
+build of PostgreSQL server and plugins build with this version of server.
+For shared libraries used by client packages that need to connect to a
+PostgreSQL server, install libpq package instead.
+
+
+%package private-devel
+Summary: PostgreSQL development header files for this build of PostgreSQL server
+Group: Development/Libraries
+Requires: %{name}-private-libs%{?_isa} = %precise_version
+# Conflict is desired here, a user must pick one or another
+Conflicts: libpq-devel
+
+%description private-devel
+The postgresql-private-devel package contains the header files and libraries
+needed to compile C or C++ applications which will directly interact
+with a PostgreSQL database management server.
+You need to install this package if you want to develop applications which
+will interact with a PostgreSQL server.
+%endif
+
 
 %package server
 Summary: The programs needed to create and run a PostgreSQL server
@@ -339,19 +375,21 @@ goal of accelerating analytics queries.
 %endif
 )
 %setup -q -a 12 -n postgresql-%{version}
-%patch1 -p1
-%patch2 -p1
-%patch5 -p1
-%patch6 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
 %if %external_libpq
-%patch8 -p1
+%patch -P 8 -p1
 %else
-%patch10 -p1
+%patch -P 10 -p1
 %endif
-%patch9 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
+%patch -P 9 -p1
+%patch -P 11 -p1
+%ifarch sw_64
+%patch -P 15 -p1
+%endif
+%patch -P 17 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -418,7 +456,7 @@ export CFLAGS
 # since that's still considered the default plpython version.
 common_configure_options='
         --disable-rpath
-%ifarch riscv64
+%ifarch riscv64 loongarch64
         --disable-spinlocks
 %endif
 %if %beta
@@ -610,7 +648,7 @@ upgrade_configure ()
                 --host=%{_host} \
                 --prefix=%prev_prefix \
                 --disable-rpath \
-%ifarch riscv64
+%ifarch riscv64 loongarch64
                 --disable-spinlocks \
 %endif
 %if %beta
@@ -680,6 +718,16 @@ make DESTDIR=$RPM_BUILD_ROOT install-world
 
 # We ship pg_config through libpq-devel
 mv $RPM_BUILD_ROOT/%_mandir/man1/pg_{,server_}config.1
+%if %external_libpq
+rm $RPM_BUILD_ROOT/%_includedir/pg_config*.h
+rm $RPM_BUILD_ROOT/%_includedir/libpq/libpq-fs.h
+rm $RPM_BUILD_ROOT/%_includedir/postgres_ext.h
+rm -r $RPM_BUILD_ROOT/%_includedir/pgsql/internal/
+%else
+ln -s pg_server_config $RPM_BUILD_ROOT/%_bindir/pg_config
+rm $RPM_BUILD_ROOT/%{_libdir}/libpq.a
+%endif
+
 
 %if %plpython3
         mv src/Makefile.global src/Makefile.global.save
@@ -1153,14 +1201,29 @@ make -C postgresql-setup-%{setup_version} check
 %dir %{_includedir}/pgsql
 %{_includedir}/pgsql/server
 %{_libdir}/pgsql/pgxs/
-%{_includedir}/*
-%{_libdir}/{pgsql/pgxs/,pkgconfig/*.pc}
-%{_libdir}/{libecpg,libecpg_compat,libpgtypes,libpq}.so*
-%{_libdir}/libpq.a
 %{_mandir}/man1/pg_server_config.*
 %{_mandir}/man3/SPI_*
 %{macrosdir}/macros.%name
 
+%if ! %external_libpq
+%files private-libs
+%{_libdir}/libpq.so.*
+%endif
+
+%if ! %external_libpq
+%files private-devel
+%{_bindir}/pg_config
+%{_includedir}/libpq-events.h
+%{_includedir}/libpq-fe.h
+%{_includedir}/postgres_ext.h
+%{_includedir}/pgsql/internal/*.h
+%{_includedir}/pgsql/internal/libpq/pqcomm.h
+%{_includedir}/libpq/*.h
+%{_libdir}/pkgconfig/*.pc
+%{_libdir}/libpq.so
+%{_includedir}/pg_config*.h
+%endif
+
 
 %files test-rpm-macros
 %{_datadir}/postgresql-setup/postgresql_pkg_tests.sh
@@ -1238,6 +1301,32 @@ make -C postgresql-setup-%{setup_version} check
 
 
 %changelog
+* Wed Nov 15 2023 dillon chen <dillon.chen@gmail.com> - 13.13-1
+- New version 13.13
+- Fix CVE-2023-5868  CVE-2023-5869  CVE-2023-5870
+
+* Thu Aug 17 2023 panchenbo <panchenbo@kylinsec.com.cn> - 13.12-2
+- fix sw_64 patch error and remove --no-discard-stderr
+
+* Fri Aug 11 2023 Funda Wang <fundawang@yeah.net> - 13.12-1
+- New version 13.12
+
+* Fri Jun  9 2023 dillon chen <dillon.chen@gmail.com> - 13.3-8
+- Fix build error for loongarch64
+- Fix issue: confilct between libpq-devel and postgresql-devel
+- guess init spec from redhat
+- change redhat spec:rm private package and add files to server-devel
+- so add delete lines to Fix issue
+- Next: write oe libpq and postgresql spec by myself
+
+* Tue Oct 25 2022 wuzx<wuzx1226@qq.com> - 13.3-7
+- Add sw64 architecture
+
+* Mon Aug 1 2022 bzhaoop <bzhaojyathousandy@gmail.com> - 13.3-6
+- Porting "Fix subtransaction test failed" from master branch
+- Fri May 6 2022 caodongxia <caodongxia@h-partners.com> - 13.3-4
+- sync the same line with master
+
 * Fri Mar 11 2022 wangkai <wangkai385@huawei.com> - 13.3-5
 - Fix CVE-2021-23214 CVE-2021-23222
 
@@ -1260,7 +1349,7 @@ make -C postgresql-setup-%{setup_version} check
 * Tue Dec 8 2020 wangxiao <wangxiao65@huawei.com> - 10.5-18
 - Fix CVE-2020-25694 CVE-2020-25695 CVE-2020-25696
 
-* Web Sep 9 2020 yanglongkang<yanglongkang@huawei.com> - 10.5-17
+* Thu Sep 10 2020 yanglongkang <yanglongkang@huawei.com> - 10.5-17
 - Fix CVE-2020-14349 CVE-2020-14350
 
 * Fri Jun 19 2020 cuibaobao <cuibaobao1@huawei.com> - 10.5-16