Back to postgresql-9.6 PTS page

Accepted postgresql-9.6 9.6.13-0+deb9u1 (source) into proposed-updates->stable-new, proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted postgresql-9.6 9.6.13-0+deb9u1 (source) into proposed-updates->stable-new, proposed-updates
From: Christoph Berg <myon@debian.org>
Date: Mon, 13 May 2019 21:17:47 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1hQIKR-0007Ai-95@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 May 2019 12:51:42 +0200
Source: postgresql-9.6
Architecture: source
Version: 9.6.13-0+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-9.6 (9.6.13-0+deb9u1) stretch-security; urgency=medium
 .
   * New upstream version.
     + Prevent row-level security policies from being bypassed via selectivity
       estimators (Dean Rasheed)
 .
       Some of the planner's selectivity estimators apply user-defined
       operators to values found in pg_statistic (e.g., most-common values).
       A leaky operator therefore can disclose some of the entries in a data
       column, even if the calling user lacks permission to read that column.
       In CVE-2017-7484 we added restrictions to forestall that, but we failed
       to consider the effects of row-level security.  A user who has SQL
       permission to read a column, but who is forbidden to see certain rows
       due to RLS policy, might still learn something about those rows'
       contents via a leaky operator.  This patch further tightens the rules,
       allowing leaky operators to be applied to statistics data only when
       there is no relevant RLS policy.  (CVE-2019-10130)
 .
   * Move maintainer address to tracker.
Checksums-Sha1:
 cff919accd48e9a622c4cab2778805c4811a40ad 3698 postgresql-9.6_9.6.13-0+deb9u1.dsc
 32b9bd28f68426a42c596d1fcedeb971401aee88 18767279 postgresql-9.6_9.6.13.orig.tar.bz2
 d8bc38f3b874bfe84792436b08c2946cb6d1d5ab 26952 postgresql-9.6_9.6.13-0+deb9u1.debian.tar.xz
 d3fb43abf21a3500914fb7f9da463a5359bff4f8 8759 postgresql-9.6_9.6.13-0+deb9u1_source.buildinfo
Checksums-Sha256:
 f516ea1c82b220a523cf4bd753a60987a30e214a0f2486473e10f85953f25fe9 3698 postgresql-9.6_9.6.13-0+deb9u1.dsc
 ecbed20056296a65b6a4f5526c477e3ae5cc284cb01a15507785ddb23831e9a4 18767279 postgresql-9.6_9.6.13.orig.tar.bz2
 daa2a1cccd688a205734d0701a58deb2cfad940b3e57f858a44fde70805cd283 26952 postgresql-9.6_9.6.13-0+deb9u1.debian.tar.xz
 3c1addb16aa4eefa4d97363ee17b799b8924c41937264284e22e947ccc56c37b 8759 postgresql-9.6_9.6.13-0+deb9u1_source.buildinfo
Files:
 395945ff0e05402fb4db76f5924eec13 3698 database optional postgresql-9.6_9.6.13-0+deb9u1.dsc
 f361e2ddcd2c31049789ef66f8841de5 18767279 database optional postgresql-9.6_9.6.13.orig.tar.bz2
 8da0e8deaeb74ae4210986dc44c9b0fc 26952 database optional postgresql-9.6_9.6.13-0+deb9u1.debian.tar.xz
 12291aa0e1e2e345fcf92ecbc3ae75c3 8759 database optional postgresql-9.6_9.6.13-0+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAlzRcpgACgkQTFprqxLS
p652uA//VkPfC1HgDYyUE0VQdu7GO2mvo9miDUOmRyLlcUVcRwiqfLJ/dlCLMAOE
DRKM1O1PL8ePK8d7in2pJe/gZTTkilKRUrSUMAdTcb2VlX8UqJrJ5bOxveBFJN0W
eykR+6ETLbSEHC1oSBICKokbeSFy6hmUu+BHwpg+56mr3YQ1OQ6/dvDgko/Df3Kq
gLN7U6tTmdr+8NgWX2Glfgl/I2tNR6cKB11DcGR2yWkr5vf8uhIX/ZcfBWsBjp0C
IWlnb2bD6HbT7b1FYFVSPkiUij6FsQ2lEbsSK3pRnefrBg/jULbHxJGmKlOoYTT3
PZ7QMzBmEm8+YXqbmabsHhZj5yBra1g9cXM97rBTSFEsIqQghdrJl0pcFu8K0BIf
F2fAm2Wz1Zgt9hLzPB3XaTJo7IsQxe/csUr5FJ1q071UneVBw6oOoBpiMFcpb6H0
G14d7yYbe5DVOTRaiMFkGjKu/vCObx8jVN1JNN535A13hwXm31NeQ0p5IxzRl60m
jFG1HILsVN1TBF19SEnEAj5qhiqZ5dSozqUj87+D1/Oc0A9YxC5mWULskGjr52h/
nhJNlR1ViRdykjbA1Jlx/SJnL4Ha+0LysJLbm1k5IGR0tmbjf9CYPHmZai25Cq1B
rbnqt9//fIJYmA7WFHPkrUUCL8jfr7SoVwmWL2HjSiFMlyVPJBw=
=wb7o
-----END PGP SIGNATURE-----