Accepted postgresql-8.4 8.4.20-0squeeze1 (source all amd64)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 20 Feb 2014 13:00:28 +0100
Source: postgresql-8.4
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-8.4 postgresql-client-8.4 postgresql-server-dev-8.4 postgresql-doc-8.4 postgresql-contrib-8.4 postgresql-plperl-8.4 postgresql-plpython-8.4 postgresql-pltcl-8.4 postgresql postgresql-client postgresql-doc postgresql-contrib
Architecture: source all amd64
Version: 8.4.20-0squeeze1
Distribution: squeeze-security
Urgency: high
Maintainer: Martin Pitt <mpitt@debian.org>
Changed-By: Christoph Berg <christoph.berg@credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3 - shared library libpgtypes for PostgreSQL 8.4
libpq-dev - header files for libpq5 (PostgreSQL library)
libpq5 - PostgreSQL C client library
postgresql - object-relational SQL database (supported version)
postgresql-8.4 - object-relational SQL database, version 8.4 server
postgresql-client - front-end programs for PostgreSQL (supported version)
postgresql-client-8.4 - front-end programs for PostgreSQL 8.4
postgresql-contrib - additional facilities for PostgreSQL (supported version)
postgresql-contrib-8.4 - additional facilities for PostgreSQL
postgresql-doc - documentation for the PostgreSQL database management system
postgresql-doc-8.4 - documentation for the PostgreSQL database management system
postgresql-plperl-8.4 - PL/Perl procedural language for PostgreSQL 8.4
postgresql-plpython-8.4 - PL/Python procedural language for PostgreSQL 8.4
postgresql-pltcl-8.4 - PL/Tcl procedural language for PostgreSQL 8.4
postgresql-server-dev-8.4 - development files for PostgreSQL 8.4 server-side programming
Changes:
postgresql-8.4 (8.4.20-0squeeze1) squeeze-security; urgency=high
.
* New upstream security/bugfix release.
.
+ Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
.
Granting a role without ADMIN OPTION is supposed to prevent the grantee
from adding or removing members from the granted role, but this
restriction was easily bypassed by doing SET ROLE first. The security
impact is mostly that a role member can revoke the access of others,
contrary to the wishes of his grantor. Unapproved role member additions
are a lesser concern, since an uncooperative role member could provide
most of his rights to others anyway by creating views or SECURITY
DEFINER functions. (CVE-2014-0060)
.
+ Prevent privilege escalation via manual calls to PL validator functions
(Andres Freund)
.
The primary role of PL validator functions is to be called implicitly
during CREATE FUNCTION, but they are also normal SQL functions that a
user can call explicitly. Calling a validator on a function actually
written in some other language was not checked for and could be
exploited for privilege-escalation purposes. The fix involves adding a
call to a privilege-checking function in each validator function.
Non-core procedural languages will also need to make this change to
their own validator functions, if any. (CVE-2014-0061)
.
+ Avoid multiple name lookups during table and index DDL (Robert Haas,
Andres Freund)
.
If the name lookups come to different conclusions due to concurrent
activity, we might perform some parts of the DDL on a different table
than other parts. At least in the case of CREATE INDEX, this can be used
to cause the permissions checks to be performed against a different
table than the index creation, allowing for a privilege escalation
attack. (CVE-2014-0062)
.
+ Prevent buffer overrun with long datetime strings (Noah Misch)
.
The MAXDATELEN constant was too small for the longest possible value of
type interval, allowing a buffer overrun in interval_out(). Although the
datetime input functions were more careful about avoiding buffer
overrun, the limit was short enough to cause them to reject some valid
inputs, such as input containing a very long timezone name. The ecpg
library contained these vulnerabilities along with some of its own.
(CVE-2014-0063)
.
+ Prevent buffer overrun due to integer overflow in size calculations
(Noah Misch, Heikki Linnakangas)
.
Several functions, mostly type input functions, calculated an allocation
size without checking for overflow. If overflow did occur, a too-small
buffer would be allocated and then written past. (CVE-2014-0064)
.
+ Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
.
Use strlcpy() and related functions to provide a clear guarantee that
fixed-size buffers are not overrun. Unlike the preceding items, it is
unclear whether these cases really represent live issues, since in most
cases there appear to be previous constraints on the size of the input
string. Nonetheless it seems prudent to silence all Coverity warnings of
this type. (CVE-2014-0065)
.
+ Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)
.
There are relatively few scenarios in which crypt() could return NULL,
but contrib/chkpass would crash if it did. One practical case in which
this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
.
+ Document risks of make check in the regression testing instructions
(Noah Misch, Tom Lane)
.
Since the temporary server started by make check uses "trust"
authentication, another user on the same machine could connect to it as
database superuser, and then potentially exploit the privileges of the
operating-system user who started the tests. A future release will
probably incorporate changes in the testing procedure to prevent this
risk, but some public discussion is needed first. So for the moment,
just warn people against using make check when there are untrusted users
on the same machine. (CVE-2014-0067)
.
* The upstream tarballs no longer contain a plain HISTORY file, but point to
the html documentation. Note the location of these files in our
changelog.gz file.
Checksums-Sha1:
a845f863450a825f5dfe5b702815e7294e2c89f0 3223 postgresql-8.4_8.4.20-0squeeze1.dsc
189692569e69e74cb73e12f39708aeac10b02764 18310899 postgresql-8.4_8.4.20.orig.tar.gz
6c0b76146904e6bdc14797bf0129837379652836 65538 postgresql-8.4_8.4.20-0squeeze1.diff.gz
ee35e0c56351a71b264d070e65df51e35eb8304f 2219892 postgresql-doc-8.4_8.4.20-0squeeze1_all.deb
1c06d081bc58992562285c2b60c62443632b2d37 34340 postgresql_8.4.20-0squeeze1_all.deb
ea3d6437f759b2a5900f8d6ec032a003d2b05b75 34308 postgresql-client_8.4.20-0squeeze1_all.deb
e52bb30c1519fa2ff2aaa2d5037a4f515419453c 34154 postgresql-doc_8.4.20-0squeeze1_all.deb
67466ab24fa720d6cb513c35f2015708ce79c85f 34208 postgresql-contrib_8.4.20-0squeeze1_all.deb
e3d7687d1f248367af085fe5319190a579aafc99 255358 libpq-dev_8.4.20-0squeeze1_amd64.deb
16450b492bdd6927a412cbf7ba5a59060f81fd6b 174058 libpq5_8.4.20-0squeeze1_amd64.deb
9580addc8213ecdca4aeb7aec7417ae9b208c0ee 113954 libecpg6_8.4.20-0squeeze1_amd64.deb
a2de48e26ba37d9d36bd8117c6fe3fb48a18c259 271476 libecpg-dev_8.4.20-0squeeze1_amd64.deb
7bc0e34e6fd725da5dd371b4e5750c20e6c20401 42102 libecpg-compat3_8.4.20-0squeeze1_amd64.deb
8045cf26ac8dc0310f2b2540c56f6bf6a43f0401 65624 libpgtypes3_8.4.20-0squeeze1_amd64.deb
8dd33b4b5abf4ada33b7c3c9c25d258b6b916980 5759960 postgresql-8.4_8.4.20-0squeeze1_amd64.deb
6c2bc8ab6d7398db0d35dd28af62aa13de92aa1c 1602248 postgresql-client-8.4_8.4.20-0squeeze1_amd64.deb
4f14e2d3779adf6af71dba0fc638516662aa0e17 654976 postgresql-server-dev-8.4_8.4.20-0squeeze1_amd64.deb
a6b7fcdc9c7296593af2deea36a6ff17d7535599 449042 postgresql-contrib-8.4_8.4.20-0squeeze1_amd64.deb
8be0240ec105371f1b700d40461752f5cc5775a3 72972 postgresql-plperl-8.4_8.4.20-0squeeze1_amd64.deb
eea4ddeb542ad3e1fc1d2db2193a558e32bd365d 74342 postgresql-plpython-8.4_8.4.20-0squeeze1_amd64.deb
40a8031594365e8c09d56219a9eb4a08d6682963 57928 postgresql-pltcl-8.4_8.4.20-0squeeze1_amd64.deb
Checksums-Sha256:
a99538f70cde229bcaa8189a7f84aba5aa4fa2e2c62f3853058e5f9f36031286 3223 postgresql-8.4_8.4.20-0squeeze1.dsc
2c05da292dc8037e12e1b424213141609961a2be25395f36d3be3c3d0b4eaf29 18310899 postgresql-8.4_8.4.20.orig.tar.gz
923dff2554ae19cd377445f03b31a163d69e1e346cf003ee9efa25e600fc74b7 65538 postgresql-8.4_8.4.20-0squeeze1.diff.gz
b0642ab09e7e2429e62c1ab633e91ff12d8ac0b864c27e6dec784a4041412212 2219892 postgresql-doc-8.4_8.4.20-0squeeze1_all.deb
f5bc8cf00b824c539e8b8b7fb94d35529e223011e64892c884103dd721be9f07 34340 postgresql_8.4.20-0squeeze1_all.deb
c779808bec954f4d69842f0e3198700547a0d03bdda372715c464f978191d8a0 34308 postgresql-client_8.4.20-0squeeze1_all.deb
5b7f3a445026da6ae2e5f7b028d7aabdba0ee69d6b504028139ace50966a1f00 34154 postgresql-doc_8.4.20-0squeeze1_all.deb
8ba93b506155f12851e775bc945f19ebf4bc24e584b235a9d0d9542e9a2d7ab6 34208 postgresql-contrib_8.4.20-0squeeze1_all.deb
8136a975b6ebff66c209dbabd2f1ec3b3385a8984a666ad3c273488f8b6ce5a0 255358 libpq-dev_8.4.20-0squeeze1_amd64.deb
dc4f03a114a9e6e3c2fd546282cef769822113d5baef5ae2b490fd3bff800f2e 174058 libpq5_8.4.20-0squeeze1_amd64.deb
ff281f3367934586a3df9c911501098c2b0a2a5231d259cec0fb9b42f7f4d5bb 113954 libecpg6_8.4.20-0squeeze1_amd64.deb
4c9afc59085ac1e292e684e5d8f861aa6d5b92438e186b6145ea7e9fb11f67c3 271476 libecpg-dev_8.4.20-0squeeze1_amd64.deb
08636dea5fa925a78a885afd9d5b489eabeb697d9d6d625042201b5bb3d7b554 42102 libecpg-compat3_8.4.20-0squeeze1_amd64.deb
9e7e0120cb46ded248355814cde63a67b52af59bf32380fe1ff862f744774dd9 65624 libpgtypes3_8.4.20-0squeeze1_amd64.deb
1492a02a851d12e591b13a35902fe96cee4ecdf127f70f5862378be91c8b5d8a 5759960 postgresql-8.4_8.4.20-0squeeze1_amd64.deb
da3d0dc0eb9e1c6a4a3970307066be7230e9d92c2e77463ff4c4cef47a8e7307 1602248 postgresql-client-8.4_8.4.20-0squeeze1_amd64.deb
903cc56988d36ada6587439606984323d3caca0fa9000680ac14c49aef1e5003 654976 postgresql-server-dev-8.4_8.4.20-0squeeze1_amd64.deb
8f080748164a75765242b5eb8a46b124be20243b91dd7fd6b3ae3524b6138c5e 449042 postgresql-contrib-8.4_8.4.20-0squeeze1_amd64.deb
c1f308beb2a22b24b98a4c3d51e800923c8ec2779acf879e1ae16902fd1a9806 72972 postgresql-plperl-8.4_8.4.20-0squeeze1_amd64.deb
baeae725f9925e80152fca71b77df746a19153e9d98bdfbf0bb6da42595c815d 74342 postgresql-plpython-8.4_8.4.20-0squeeze1_amd64.deb
2d2907c6b0e68cd96bfabe0b76f63e4bf2098a948be86094be7078a27ce9c5b7 57928 postgresql-pltcl-8.4_8.4.20-0squeeze1_amd64.deb
Files:
eeafb4d2a18c84f27bd6a237a3352e42 3223 database optional postgresql-8.4_8.4.20-0squeeze1.dsc
9f50de43040991a0be572ff3d73d5cb1 18310899 database optional postgresql-8.4_8.4.20.orig.tar.gz
33115b521879329445845301dd4d56ca 65538 database optional postgresql-8.4_8.4.20-0squeeze1.diff.gz
d9db49c97e6497e0b4fe21b0dab66cfe 2219892 doc optional postgresql-doc-8.4_8.4.20-0squeeze1_all.deb
c8a59a7f3b4453be31a1b4e507857445 34340 database optional postgresql_8.4.20-0squeeze1_all.deb
da905ab69874919b38bf02071948009b 34308 database optional postgresql-client_8.4.20-0squeeze1_all.deb
ca8ce99a39ef20329d208f5eafa1b259 34154 doc optional postgresql-doc_8.4.20-0squeeze1_all.deb
7e461f0ae6eb1e9f40a5dca1085460a5 34208 database optional postgresql-contrib_8.4.20-0squeeze1_all.deb
624c4f7151daac23f6d4c9b13ad9922f 255358 libdevel optional libpq-dev_8.4.20-0squeeze1_amd64.deb
8674d5b5c7e4c36e691511c97d12aec5 174058 libs optional libpq5_8.4.20-0squeeze1_amd64.deb
af6b1bee2e0deec11109c909cd87c008 113954 libs optional libecpg6_8.4.20-0squeeze1_amd64.deb
968f467194313f1d73732d6898b3a7b3 271476 libdevel optional libecpg-dev_8.4.20-0squeeze1_amd64.deb
d4e135dad8feea2dcb8388552886f503 42102 libs optional libecpg-compat3_8.4.20-0squeeze1_amd64.deb
e7add6d9d90de3571b27203948d8c87c 65624 libs optional libpgtypes3_8.4.20-0squeeze1_amd64.deb
ab2952f64952fa991c4a3a8debf331b5 5759960 database optional postgresql-8.4_8.4.20-0squeeze1_amd64.deb
38093e5b5baa8bbca3db8dbb512abf21 1602248 database optional postgresql-client-8.4_8.4.20-0squeeze1_amd64.deb
2f7e80bc907858317dbb436d9f07fb45 654976 libdevel optional postgresql-server-dev-8.4_8.4.20-0squeeze1_amd64.deb
9f33f305001ae887fee8c0b39f549690 449042 database optional postgresql-contrib-8.4_8.4.20-0squeeze1_amd64.deb
90bbdbb743340fd5436fd66cbe8e7af0 72972 database optional postgresql-plperl-8.4_8.4.20-0squeeze1_amd64.deb
45169b576830f77792111cf23a01b17b 74342 database optional postgresql-plpython-8.4_8.4.20-0squeeze1_amd64.deb
d33c75e3392fd2550435b22bcf0f8d18 57928 database optional postgresql-pltcl-8.4_8.4.20-0squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTBfOuAAoJEExaa6sS0qeuFBEP/i8UT6qPjZp7+iswmQ8OfPUw
jujyeDolB86tUKpVFuusEOc7oTxbX5TgTLTSpq9ZLo6NcRBt9SpLkKcDzfpxt5Jk
GpaHwIHkfNLtor44eWj9IuJERU+nwM8cXIGGpoIKhY8LcUxbktwHdgiYolfZd186
+SrPeVZlpvHSlwi9H7M0kQW0lEMSRxVewlf+ed3pcjS82mKrNL9NcvHhaCFM8EYe
5J5mouB8p6fF+w7dHEQRs+g36m1Sl2BAfiUJobd1Xncxyqn0hLJw3w0lUDNt6WIX
yZrhqoMP64HhNXpFsJXuFzr1PCZfLvANqjg16vNbTcWsHyGb3pyylXIEbaP3ZbEB
sHmyHXTMujNNjQ2KkvZoXOjHy/Ymr4SA8ZSqNxRfVzS+JuUZ0yx87SqFqiKRFtI9
qBZqHcASAxEoHEGMx3RtGpt0xhEghbl6pcDupfO/7iqkmkA6atbSwZxI+zvZyMHp
c/VHe9Y/osLK6KijWhv1YmwWY6TsKIfNQevUaeYAM7TK/flYXsoq8P9AXXzmGL+a
5sy1FsI+5hvlKrv2+yFRMR8Z+CoqzppbYGuhchbgKMfHynLI9/a9+uiN8yGudVOg
FGi0n02AHkoDFeRpi2cX8xL5AT15uOKCr7QQiJLHapoU92l5mgBAE+aC3Ndw72Y2
pjsjfmW5BA1SuW/JCsNp
=yNf8
-----END PGP SIGNATURE-----