Back to postgresql-9.1 PTS page

Accepted postgresql-9.1 9.1.12-0wheezy1 (source amd64 all)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Feb 2014 13:34:54 +0100
Source: postgresql-9.1
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.1 postgresql-9.1-dbg postgresql-client-9.1 postgresql-server-dev-9.1 postgresql-doc-9.1 postgresql-contrib-9.1 postgresql-plperl-9.1 postgresql-plpython-9.1 postgresql-plpython3-9.1 postgresql-pltcl-9.1
Architecture: source amd64 all
Version: 9.1.12-0wheezy1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.berg@credativ.de>
Description: 
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.1
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-9.1 - object-relational SQL database, version 9.1 server
 postgresql-9.1-dbg - debug symbols for postgresql-9.1
 postgresql-client-9.1 - front-end programs for PostgreSQL 9.1
 postgresql-contrib-9.1 - additional facilities for PostgreSQL
 postgresql-doc-9.1 - documentation for the PostgreSQL database management system
 postgresql-plperl-9.1 - PL/Perl procedural language for PostgreSQL 9.1
 postgresql-plpython-9.1 - PL/Python procedural language for PostgreSQL 9.1
 postgresql-plpython3-9.1 - PL/Python 3 procedural language for PostgreSQL 9.1
 postgresql-pltcl-9.1 - PL/Tcl procedural language for PostgreSQL 9.1
 postgresql-server-dev-9.1 - development files for PostgreSQL 9.1 server-side programming
Changes: 
 postgresql-9.1 (9.1.12-0wheezy1) wheezy-security; urgency=high
 .
   * New upstream security/bugfix release.
 .
     + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
 .
       Granting a role without ADMIN OPTION is supposed to prevent the grantee
       from adding or removing members from the granted role, but this
       restriction was easily bypassed by doing SET ROLE first. The security
       impact is mostly that a role member can revoke the access of others,
       contrary to the wishes of his grantor. Unapproved role member additions
       are a lesser concern, since an uncooperative role member could provide
       most of his rights to others anyway by creating views or SECURITY
       DEFINER functions. (CVE-2014-0060)
 .
     + Prevent privilege escalation via manual calls to PL validator functions
       (Andres Freund)
 .
       The primary role of PL validator functions is to be called implicitly
       during CREATE FUNCTION, but they are also normal SQL functions that a
       user can call explicitly. Calling a validator on a function actually
       written in some other language was not checked for and could be
       exploited for privilege-escalation purposes. The fix involves adding a
       call to a privilege-checking function in each validator function.
       Non-core procedural languages will also need to make this change to
       their own validator functions, if any. (CVE-2014-0061)
 .
     + Avoid multiple name lookups during table and index DDL (Robert Haas,
       Andres Freund)
 .
       If the name lookups come to different conclusions due to concurrent
       activity, we might perform some parts of the DDL on a different table
       than other parts. At least in the case of CREATE INDEX, this can be used
       to cause the permissions checks to be performed against a different
       table than the index creation, allowing for a privilege escalation
       attack. (CVE-2014-0062)
 .
     + Prevent buffer overrun with long datetime strings (Noah Misch)
 .
       The MAXDATELEN constant was too small for the longest possible value of
       type interval, allowing a buffer overrun in interval_out(). Although the
       datetime input functions were more careful about avoiding buffer
       overrun, the limit was short enough to cause them to reject some valid
       inputs, such as input containing a very long timezone name. The ecpg
       library contained these vulnerabilities along with some of its own.
       (CVE-2014-0063)
 .
     + Prevent buffer overrun due to integer overflow in size calculations
       (Noah Misch, Heikki Linnakangas)
 .
       Several functions, mostly type input functions, calculated an allocation
       size without checking for overflow. If overflow did occur, a too-small
       buffer would be allocated and then written past. (CVE-2014-0064)
 .
     + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
 .
       Use strlcpy() and related functions to provide a clear guarantee that
       fixed-size buffers are not overrun. Unlike the preceding items, it is
       unclear whether these cases really represent live issues, since in most
       cases there appear to be previous constraints on the size of the input
       string. Nonetheless it seems prudent to silence all Coverity warnings of
       this type. (CVE-2014-0065)
 .
     + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)
 .
       There are relatively few scenarios in which crypt() could return NULL,
       but contrib/chkpass would crash if it did. One practical case in which
       this could be an issue is if libc is configured to refuse to execute
       unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
 .
     + Document risks of make check in the regression testing instructions
       (Noah Misch, Tom Lane)
 .
       Since the temporary server started by make check uses "trust"
       authentication, another user on the same machine could connect to it as
       database superuser, and then potentially exploit the privileges of the
       operating-system user who started the tests. A future release will
       probably incorporate changes in the testing procedure to prevent this
       risk, but some public discussion is needed first. So for the moment,
       just warn people against using make check when there are untrusted users
       on the same machine. (CVE-2014-0067)
 .
   * The upstream tarballs no longer contain a plain HISTORY file, but point to
     the html documentation. Note the location of these files in our
     changelog.gz file.
Checksums-Sha1: 
 a7182f49c8e2a95cb8fb7cd0a2cd71c5f505c47e 3337 postgresql-9.1_9.1.12-0wheezy1.dsc
 aaf9097de94a03a4136d36704c48be539c5734ac 15638909 postgresql-9.1_9.1.12.orig.tar.bz2
 e2492ade766fcf22eb9a5d8831a3fa52fbc54242 39416 postgresql-9.1_9.1.12-0wheezy1.debian.tar.gz
 d8825ebe69cb344f28eaca9b86d6cd0a23f01ed4 191966 libpq-dev_9.1.12-0wheezy1_amd64.deb
 f19fcf73e6120b316abf3dd512c07e61459ec579 136580 libpq5_9.1.12-0wheezy1_amd64.deb
 d1224ddab8a0796ca7357da2cc9fe14646e80bb3 94012 libecpg6_9.1.12-0wheezy1_amd64.deb
 5cbefeefcc846545586ff15e333da89bee41b127 225260 libecpg-dev_9.1.12-0wheezy1_amd64.deb
 d94c336c25b85e73e7829ed19f18e5680aa7b976 31798 libecpg-compat3_9.1.12-0wheezy1_amd64.deb
 90df77948d455a6ad12b9f0b5f86e4debef68086 53046 libpgtypes3_9.1.12-0wheezy1_amd64.deb
 27ba4bf41b6d9aad598dd4d6ea3e696eb3dcd044 3268826 postgresql-9.1_9.1.12-0wheezy1_amd64.deb
 89e40dbaeccb7dc5f8a95e97062034e49d9df70b 6695256 postgresql-9.1-dbg_9.1.12-0wheezy1_amd64.deb
 5c840d6ad3433f0f5f2cc1388aa93a2304c28606 996478 postgresql-client-9.1_9.1.12-0wheezy1_amd64.deb
 71118beadabe663c3b6c11ebcb08e0bbf11b7a50 551708 postgresql-server-dev-9.1_9.1.12-0wheezy1_amd64.deb
 b2588cc21d7d34eb4fe1a97f9006339faf1c67a9 1624748 postgresql-doc-9.1_9.1.12-0wheezy1_all.deb
 3349741e6694c7af52c38bba846035bd4cfc43db 362854 postgresql-contrib-9.1_9.1.12-0wheezy1_amd64.deb
 d6a08e3f03a0509da8e0b7834949f48f46c90546 72086 postgresql-plperl-9.1_9.1.12-0wheezy1_amd64.deb
 7f231bcc3e8e02e188c4d3236077799234160b82 56302 postgresql-plpython-9.1_9.1.12-0wheezy1_amd64.deb
 3afe652af9a840f00880158f2c2f7dbb6b1c4b16 55986 postgresql-plpython3-9.1_9.1.12-0wheezy1_amd64.deb
 cac66606943cb8a76365e578f479e424100ecdbe 46354 postgresql-pltcl-9.1_9.1.12-0wheezy1_amd64.deb
Checksums-Sha256: 
 36ce6cccbf60467287c3bc1da3b5cadd849613edccf22c38c778ce7ad76f029e 3337 postgresql-9.1_9.1.12-0wheezy1.dsc
 0b267ebab5feb39ad6ef945b9588787886e7f7e5284467921d18cc7b76bcb383 15638909 postgresql-9.1_9.1.12.orig.tar.bz2
 4c666a1d4d07d949d0178b35bb2223fbe015a944a21b176e6e1b6d54e8841140 39416 postgresql-9.1_9.1.12-0wheezy1.debian.tar.gz
 b7771ba1488aa085d5ed4cb5648817704d9b345231cb18977fb95f4a6c2f18f2 191966 libpq-dev_9.1.12-0wheezy1_amd64.deb
 0ea86211663e6b62fd3ece6ee0df19fa6bc98f7c575abaa907982b513036a1e9 136580 libpq5_9.1.12-0wheezy1_amd64.deb
 8da8e4e71c4a810087ef4f6ee6896d56a7da709c55d8138f11b2e321a7cea61f 94012 libecpg6_9.1.12-0wheezy1_amd64.deb
 f2bbf05ad103155fdfa61c4d296cffc49e3eab229c8ba66a8a967ae38e9915ad 225260 libecpg-dev_9.1.12-0wheezy1_amd64.deb
 269392ebabe222d3d8b2145df849cad063638edbede1bc2b8b6f41071f5a3830 31798 libecpg-compat3_9.1.12-0wheezy1_amd64.deb
 9143689125948a29fc741fdf3fafc46c7bcd4de71578b94ccf21a894e0170f48 53046 libpgtypes3_9.1.12-0wheezy1_amd64.deb
 f72fd08dbbe7c2d861ceafef74fbdbaabcd5485707f5852552f1f72270f78366 3268826 postgresql-9.1_9.1.12-0wheezy1_amd64.deb
 4877ade1840a8a3078fceef753269398ca28f06883ddd64dbe0107c03b0bffa9 6695256 postgresql-9.1-dbg_9.1.12-0wheezy1_amd64.deb
 7c880590eaf337d663f5a33091137a9cf840ecd6893354b3ba91f49a665a1eb9 996478 postgresql-client-9.1_9.1.12-0wheezy1_amd64.deb
 03db81d4b0e2b86a90da1313c0d0dd9437b2efceaec9c7e79e2138c0add98c57 551708 postgresql-server-dev-9.1_9.1.12-0wheezy1_amd64.deb
 93063e7b2db3bedb081095c491341ba28d1b86db1ed5702e448e49c0b0e949ab 1624748 postgresql-doc-9.1_9.1.12-0wheezy1_all.deb
 a4fbd646399b334002c2186429afcfc23d9c86458dc19dad11a310a95fec3298 362854 postgresql-contrib-9.1_9.1.12-0wheezy1_amd64.deb
 68ad774423faf37aba63a0e5f6a419e3d7ad6e083a4ceba20271a701f5c5342f 72086 postgresql-plperl-9.1_9.1.12-0wheezy1_amd64.deb
 a189ebaba4607d6001fc5d970d11f2b1357fd8c70dc4595fe6e3c73dcbfa0672 56302 postgresql-plpython-9.1_9.1.12-0wheezy1_amd64.deb
 6290f27100e726024342be5403a66cea0c8c420f24d7aca1e3e80bab1dfd1ff9 55986 postgresql-plpython3-9.1_9.1.12-0wheezy1_amd64.deb
 6a0c744524fb9512156f12a0fe5b1fcd9eb9d8ce13582d7b9f860891d89a6543 46354 postgresql-pltcl-9.1_9.1.12-0wheezy1_amd64.deb
Files: 
 e8d82cb2a98746f0dfbb3e3def55e830 3337 database optional postgresql-9.1_9.1.12-0wheezy1.dsc
 a14eb8a602af44f1827a9ecf928e7b44 15638909 database optional postgresql-9.1_9.1.12.orig.tar.bz2
 697e1670c0bdee9c45ff52249f7e5aad 39416 database optional postgresql-9.1_9.1.12-0wheezy1.debian.tar.gz
 0c7bb36ec920b039b5cd62998e1e164a 191966 libdevel optional libpq-dev_9.1.12-0wheezy1_amd64.deb
 912afeeacf40994b7be0acaec4bd70cd 136580 libs optional libpq5_9.1.12-0wheezy1_amd64.deb
 b5e34aea1cb2afa8e43ccf5fe08b07ef 94012 libs optional libecpg6_9.1.12-0wheezy1_amd64.deb
 0b78645cf5f9936d46541bd883f30632 225260 libdevel optional libecpg-dev_9.1.12-0wheezy1_amd64.deb
 49c632aac89bce944df214d801b13365 31798 libs optional libecpg-compat3_9.1.12-0wheezy1_amd64.deb
 8f3cc0bc88fc4018ad7ce0d011259a70 53046 libs optional libpgtypes3_9.1.12-0wheezy1_amd64.deb
 709078ad371e5e98a15b376fec8800ff 3268826 database optional postgresql-9.1_9.1.12-0wheezy1_amd64.deb
 5d80194d58949546d55c375edfb1be2a 6695256 debug extra postgresql-9.1-dbg_9.1.12-0wheezy1_amd64.deb
 c7fda4c93a14a6cf19d764ab840ded89 996478 database optional postgresql-client-9.1_9.1.12-0wheezy1_amd64.deb
 6e2b691bc703f99f870b0a84ba118452 551708 libdevel optional postgresql-server-dev-9.1_9.1.12-0wheezy1_amd64.deb
 e0fecf00c8a1506803cdedd8cd5608af 1624748 doc optional postgresql-doc-9.1_9.1.12-0wheezy1_all.deb
 2c17e947d56d8602cd869f93a3c24fa1 362854 database optional postgresql-contrib-9.1_9.1.12-0wheezy1_amd64.deb
 35d1cf69436107b496381c4c31033e63 72086 database optional postgresql-plperl-9.1_9.1.12-0wheezy1_amd64.deb
 4753b295f08604a13e6a39e7fdfd70cc 56302 database optional postgresql-plpython-9.1_9.1.12-0wheezy1_amd64.deb
 36bb7f132e71d7a4650fbb194f4d63b5 55986 database optional postgresql-plpython3-9.1_9.1.12-0wheezy1_amd64.deb
 8bd9d638be0a85abe9d5c0422510682d 46354 database optional postgresql-pltcl-9.1_9.1.12-0wheezy1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTBf/IAAoJEExaa6sS0qeuHEwQAK1MQ2E/mKZ1Bj0hdPyS0r2c
oQihhP2Wns93QukpFeqSwNNBuSA9m/U7lR0m/tb20z3rRef37lbJiBiKLQvKq0Wm
NC3M4LYac69vSadVMKjl/inxv5P+Y5VDO/q3ynIJLx10eE+UrSE0cUX/WgVwoNFl
6JNmg95XJQ6dIaVyruuPRlxBWkXG9X2lU6/2rDZLmIuC8E7W+kFJCRL02ThqNkTV
5BzApSu4/m7m8eEWJct7XfW4gO8vv1at0TaHRDeTHApcp5gOkY/reaQZXZ6TUM0t
pmg4hoPFRMeBYHW6PGIzaDIKUlh9gBJaiinXo/ZQYjqa7tTVHoCX23VkI27VxLPL
yCzgoM04GGvNh6RsfGKm+agIkmK3dDqMXvo6izaLWbyUI4io/9ygXdTvSl10+JB+
Kb3NYjeFyx1VVRxGwm0K4kvU4D/C/McJhM/ZhtEB+dCpKVFmeOnC+6u+EhJ97kw1
wEIlMmxruZEuB5mjbvcG/Quwj7ayrXzPOMj/QebkEDKSHa4BUPBU97EPjDodOyM+
BPXu+w8lvIQNjOT7jCKAeq/nVHTxQvS3Ud4j0/Vi64GWUX82v/TkVru53lNzSMLk
hX3ZbTIwiUKbqB6sCQG2eSOox9H1Pbw/xFL+y8kBF8J1UHA+Cf0O/ll2fxoZR733
Ggc0V3Qn1z9iSd3vRecm
=hzcl
-----END PGP SIGNATURE-----