Back to postgresql-9.6 PTS page

Accepted postgresql-9.6 9.6.20-0+deb9u1 (source) into oldstable

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted postgresql-9.6 9.6.20-0+deb9u1 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 01 Dec 2020 12:00:13 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1kk4KL-0002Fm-Nq@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 Dec 2020 12:11:51 +0100
Source: postgresql-9.6
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6
Architecture: source
Version: 9.6.20-0+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-9.6 - object-relational SQL database, version 9.6 server
 postgresql-9.6-dbg - debug symbols for postgresql-9.6
 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6
 postgresql-contrib-9.6 - additional facilities for PostgreSQL
 postgresql-doc-9.6 - documentation for the PostgreSQL database management system
 postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6
 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6
 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6
 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6
 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming
Closes: 974063
Changes:
 postgresql-9.6 (9.6.20-0+deb9u1) stretch-security; urgency=medium
 .
   * New upstream version.
     + Fixes timetz regression test failures. (Closes: #974063)
 .
     + Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers
       within index expressions and materialized view queries (Noah Misch)
 .
       This is essentially a leak in the security restricted operation sandbox
       mechanism.  An attacker having permission to create non-temporary SQL
       objects could parlay this leak to execute arbitrary SQL code as a
       superuser.
 .
       The PostgreSQL Project thanks Etienne Stalmans for reporting this
       problem. (CVE-2020-25695)
 .
     + Fix usage of complex connection-string parameters in pg_dump,
       pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
 .
       The -d parameter of pg_dump and pg_restore, or the --maintenance-db
       parameter of the other programs mentioned, can be a connection string
       containing multiple connection parameters rather than just a database
       name.  In cases where these programs need to initiate additional
       connections, such as parallel processing or processing of multiple
       databases, the connection string was forgotten and just the basic
       connection parameters (database name, host, port, and username) were
       used for the additional connections.  This could lead to connection
       failures if the connection string included any other essential
       information, such as non-default SSL or GSS parameters. Worse, the
       connection might succeed but not be encrypted as intended, or be
       vulnerable to man-in-the-middle attacks that the intended connection
       parameters would have prevented. (CVE-2020-25694)
 .
     + When psql's \connect command re-uses connection parameters, ensure that
       all non-overridden parameters from a previous connection string are
       re-used (Tom Lane)
 .
       This avoids cases where reconnection might fail due to omission of
       relevant parameters, such as non-default SSL or GSS options. Worse, the
       reconnection might succeed but not be encrypted as intended, or be
       vulnerable to man-in-the-middle attacks that the intended connection
       parameters would have prevented. This is largely the same problem as
       just cited for pg_dump et al, although psql's behavior is more complex
       since the user may intentionally override some connection parameters.
       (CVE-2020-25694)
 .
     + Prevent psql's \gset command from modifying specially-treated variables
       (Noah Misch)
 .
       \gset without a prefix would overwrite whatever variables the server
       told it to.  Thus, a compromised server could set specially-treated
       variables such as PROMPT1, giving the ability to execute arbitrary shell
       code in the user's session.
 .
       The PostgreSQL Project thanks Nick Cleaton for reporting this problem.
       (CVE-2020-25696)
Checksums-Sha1:
 4f02f68591ef4abb7486a401b7d43dc50026bb61 3701 postgresql-9.6_9.6.20-0+deb9u1.dsc
 13aa206da020a550e56dbf524ca227bc2191fa48 18944478 postgresql-9.6_9.6.20.orig.tar.bz2
 85a1c2e144c990100bcec3219c81f389cf465a8e 177896 postgresql-9.6_9.6.20-0+deb9u1.debian.tar.xz
Checksums-Sha256:
 587f13783bf63e7d02d7753014f2fed9107e6027c49dfa82bcb9f9b56353455a 3701 postgresql-9.6_9.6.20-0+deb9u1.dsc
 3d08cba409d45ab62d42b24431a0d55e7537bcd1db2d979f5f2eefe34d487bb6 18944478 postgresql-9.6_9.6.20.orig.tar.bz2
 e2284c1def58fc13f2a4fde2d105beec80c4d71dc94aee262b99d858a04b5d32 177896 postgresql-9.6_9.6.20-0+deb9u1.debian.tar.xz
Files:
 4acac74202fb195e07769bc4f2f81449 3701 database optional postgresql-9.6_9.6.20-0+deb9u1.dsc
 652f2c5eb1a3b0368000717a0e7c36f0 18944478 database optional postgresql-9.6_9.6.20.orig.tar.bz2
 0e0689f8fe3df6a3da133de0fc572c0c 177896 database optional postgresql-9.6_9.6.20-0+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl/GLKUACgkQTFprqxLS
p67ejA//ZEW8tv487vxhpZDnS8hdDakIc49DT71s9WaorbyChy67/LnKx5JfVvJo
9FG7YHgciFzw+pLUnaNv19N6iP81RSNiNUeYFhllkdTNLqqxrgP5nw3abZWece9v
K15FYyR0e+U+9rW0gCbnrvRJfrIj9agFoxW6Wo+raZQJb3bUOR+d0tiTAkIlYNFK
vsmvqs1oykrwg2ctDWPk7wG2bxQUeMuMoJC5D0dBkEaqy64dLbBweLMnU17lcUHh
bMwCRP/q78NfCvpAwo8GpfZ5/SqOR5LhNZN+OnlHwAOPq9ElPFAnfkCn+38Tk781
sDpFnJw3rFHUen6SSjZ9uvoSYnBYtx3bq9txlmSfqd7QL7eQtCp9PpaouSqiX+71
J9Oa+p+H7/JgPAqNa7jMMO0w8WgboL+OB/w3hKqaGSwA4ws9CvuHILLfvdQ31hTI
RimdYk6qZUdn5xwHOdZwhdVg0BUDlDG7zUXSOHIHOZ5ePcagPF6rvd6+xjU11ehs
Ip2Xec/o8GjpqkNJkbBLCyarMFAv+tFkEjUoYDZHWrW90Pp9dtVxqQ7tb5mPbZj2
lxVIDtHkkInPE6M53ym2hHk8TP46YQnHqHQtOTtg5yWbOqMSyZnoXqmdbgI26Zej
Elk3oAiFoBvXdsX327p1+FVy61iGVxOorOLpwb4oU2hJR4RuKNY=
=Guus
-----END PGP SIGNATURE-----