Back to postgresql-13 PTS page

Accepted postgresql-13 13.1-1 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted postgresql-13 13.1-1 (source) into unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 12 Nov 2020 08:38:10 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1kd87O-0007PV-No@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 10 Nov 2020 13:45:55 +0100
Source: postgresql-13
Architecture: source
Version: 13.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Closes: 974063
Changes:
 postgresql-13 (13.1-1) unstable; urgency=medium
 .
   * New upstream version.
     + Fixes timetz regression test failures. (Closes: #974063)
 .
     + Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers
       within index expressions and materialized view queries (Noah Misch)
 .
       This is essentially a leak in the security restricted operation sandbox
       mechanism.  An attacker having permission to create non-temporary SQL
       objects could parlay this leak to execute arbitrary SQL code as a
       superuser.
 .
       The PostgreSQL Project thanks Etienne Stalmans for reporting this
       problem. (CVE-2020-25695)
 .
     + Fix usage of complex connection-string parameters in pg_dump,
       pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
 .
       The -d parameter of pg_dump and pg_restore, or the --maintenance-db
       parameter of the other programs mentioned, can be a connection string
       containing multiple connection parameters rather than just a database
       name.  In cases where these programs need to initiate additional
       connections, such as parallel processing or processing of multiple
       databases, the connection string was forgotten and just the basic
       connection parameters (database name, host, port, and username) were
       used for the additional connections.  This could lead to connection
       failures if the connection string included any other essential
       information, such as non-default SSL or GSS parameters. Worse, the
       connection might succeed but not be encrypted as intended, or be
       vulnerable to man-in-the-middle attacks that the intended connection
       parameters would have prevented. (CVE-2020-25694)
 .
     + When psql's \connect command re-uses connection parameters, ensure that
       all non-overridden parameters from a previous connection string are
       re-used (Tom Lane)
 .
       This avoids cases where reconnection might fail due to omission of
       relevant parameters, such as non-default SSL or GSS options. Worse, the
       reconnection might succeed but not be encrypted as intended, or be
       vulnerable to man-in-the-middle attacks that the intended connection
       parameters would have prevented. This is largely the same problem as
       just cited for pg_dump et al, although psql's behavior is more complex
       since the user may intentionally override some connection parameters.
       (CVE-2020-25694)
 .
     + Prevent psql's \gset command from modifying specially-treated variables
       (Noah Misch)
 .
       \gset without a prefix would overwrite whatever variables the server
       told it to.  Thus, a compromised server could set specially-treated
       variables such as PROMPT1, giving the ability to execute arbitrary shell
       code in the user's session.
 .
       The PostgreSQL Project thanks Nick Cleaton for reporting this problem.
       (CVE-2020-25696)
 .
   * Show only log files on failure.
Checksums-Sha1:
 ea0e5eb60884b345d1629b55a6af2464086fa4a7 3622 postgresql-13_13.1-1.dsc
 3760c704f4d195100a28a983c0bc5331076259ee 21034192 postgresql-13_13.1.orig.tar.bz2
 35e79666e580d59ede3583ca2f9a7e91ef99fbd8 26128 postgresql-13_13.1-1.debian.tar.xz
Checksums-Sha256:
 79c94566c09b7bc8ca47ac69ff93c80eb1d8d32488c5abf6cd01361a4e5716a0 3622 postgresql-13_13.1-1.dsc
 12345c83b89aa29808568977f5200d6da00f88a035517f925293355432ffe61f 21034192 postgresql-13_13.1.orig.tar.bz2
 35871a63aea15adea96efa10def456c8cdc5461d30f80492761c6ca904c9c90c 26128 postgresql-13_13.1-1.debian.tar.xz
Files:
 a27b0445ecfd82ca118974fbe997eda2 3622 database optional postgresql-13_13.1-1.dsc
 d843a4fcc0ed1493511028aa6c17117a 21034192 database optional postgresql-13_13.1.orig.tar.bz2
 f35665cf5df46a80f2ec38873932cb92 26128 database optional postgresql-13_13.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl+s6ZkACgkQTFprqxLS
p67m0BAAiTMuGR/7SUriMnlYFZLDfbjfvQRIzLSETdJDnwMoqvaE9pMaNTULbeMi
C52/bc0F83BKC9Ru9dGCIxpngydWXoXtGjBJg+Ts5NllAM7HEdAI907g08ZUSQml
ifdf4tJTwB+HD/hPqxr0mUsfQqx/U4AH9WLYXxTZgEA2x4ZJQGzJXjLRMZ8XJd5y
wMeA9Txtwcvb1lOClYcbugEhs2sMfCO24S5ohUrKJGzKWK9WZgkEE0apXW04bkel
iBQH0L5WEYYVCgJrgAhAouqgua+He8ymViJxcB9VXTF9HRrPeLgt7KgMkow6LDzy
d7goJOf0NIylmOfHwUgyOSA4nVlwbBIdK2DfvHLtAgaWv8Cp6lsMYrFOJidtjb5T
hZJG25fxLHSK1A+Zrj1FE6GpLkEjEQjABj37gPv5D5l1oPbuH8z1PgdtzFQSvbJU
oTbpYeBjQ7vphHMDK0rox+HOW7ddgi1bWJdkqejRbVGYIBlnXRZ8xM5IV+KM2ly7
ibaLeiM7k6MbpXo72fenBYAUYmAXxxKdEdC2U5LJp1UuT5GIlo/zF2DYHI8VJYcp
vR/Gep1xyvOu+pRhd+wbtz161kz0AiDokQDaNLWHF8zWrWBVYmPoBAfHpij/1ws/
Hfelcnudz09tksMjvGAAiR7sq6chk3ee6TpD4LhFd+2xIh6nb3g=
=ho7+
-----END PGP SIGNATURE-----