Accepted postgresql-9.6 9.6.24-0+deb9u1 (source) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 12 Nov 2021 08:56:48 +0100
Source: postgresql-9.6
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6
Architecture: source
Version: 9.6.24-0+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6
libpq-dev - header files for libpq5 (PostgreSQL library)
libpq5 - PostgreSQL C client library
postgresql-9.6 - object-relational SQL database, version 9.6 server
postgresql-9.6-dbg - debug symbols for postgresql-9.6
postgresql-client-9.6 - front-end programs for PostgreSQL 9.6
postgresql-contrib-9.6 - additional facilities for PostgreSQL
postgresql-doc-9.6 - documentation for the PostgreSQL database management system
postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6
postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6
postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6
postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6
postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming
Changes:
postgresql-9.6 (9.6.24-0+deb9u1) stretch-security; urgency=medium
.
* New upstream release.
.
+ Make the server and libpq reject extraneous data after an SSL or GSS
encryption handshake (Tom Lane)
.
A man-in-the-middle with the ability to inject data into the TCP
connection could stuff some cleartext data into the start of a
supposedly encryption-protected database session.
.
This could be abused to send faked SQL commands to the server, although
that would only work if the server did not demand any authentication
data. (However, a server relying on SSL certificate authentication
might well not do so.) (CVE-2021-23214)
.
This could probably be abused to inject faked responses to the client's
first few queries, although other details of libpq's behavior make that
harder than it sounds. A different line of attack is to exfiltrate the
client's password, or other sensitive data that might be sent early in
the session. That has been shown to be possible with a server
vulnerable to CVE-2021-23214. (CVE-2021-23222)
.
The PostgreSQL Project thanks Jacob Champion for reporting these
problems.
Checksums-Sha1:
b77b0b454e43be85c1d8854523992ecef0301ebe 3698 postgresql-9.6_9.6.24-0+deb9u1.dsc
4a329b3bc5e88dccd37cf75955b6f7d5786890af 19047518 postgresql-9.6_9.6.24.orig.tar.bz2
8b92f1c5ff1ad828e444f514aedd106e186d4ec9 32204 postgresql-9.6_9.6.24-0+deb9u1.debian.tar.xz
Checksums-Sha256:
5988758af14615a894d06843538e78aac2ce5c0727a7007de3b6c57e856f68df 3698 postgresql-9.6_9.6.24-0+deb9u1.dsc
aeb7a196be3ebed1a7476ef565f39722187c108dd47da7489be9c4fcae982ace 19047518 postgresql-9.6_9.6.24.orig.tar.bz2
c2952906f297b67d401cd782a821b64af139941801b77abcf1f7c3fce5876977 32204 postgresql-9.6_9.6.24-0+deb9u1.debian.tar.xz
Files:
900e4fa1481fe205321a530bd979b59f 3698 database optional postgresql-9.6_9.6.24-0+deb9u1.dsc
132c726216a0e4b8540fcf974d25dc06 19047518 database optional postgresql-9.6_9.6.24.orig.tar.bz2
d5bb8dbe15c717e6a45ac3482cf15031 32204 database optional postgresql-9.6_9.6.24-0+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGOHwYACgkQTFprqxLS
p67s7Q/+ImP+kiE4RyP/zeNs3Cp1U0pMRzQQUm/tz4DmLhlRYakD1fv344/IROc3
lWsS6sKJ99V8Rgf/P70FS0gJpB5+MEdlitsVtRAdd7/Wk2Bq7Gqd48GnaiMpQaSG
617koEykmhw4KFSJf8iXXDn07eQrqanZjW08SFpydGotQtAfCl2O8bEsqChGAlTr
l7Y3WEvxnJvTlpkVt0My3xJ/kde+LAeOIVXkxFOmhE3NfijIRXLJgMn1kDDw66Du
s7s5CsKW3OsB0JtB12XJ7aWAB5+btrNx/mFbaaTm/mFsK7haKzhK/APCjd+6bp7F
SFKoIbRhMdUajmoHpmq3cHL9d1WTU1Q5UnffDpN5en12EfWis4eeH+IBd38bZqJl
2rSS9UeNDGguxif3aCtI68Bg2E9TxHhhb6hBq72cWpIZpAcUM74S/IvmMfKHA8nt
v/n3Y4WvA7xzMJBlzoCJwwpVey0P+hcHWWQXYBz4kLIDD/imCWqPbuJcSbnG1EJd
h+NtBItaFu/wXw2qk1ZZIx9f3g7K9Vg2hSHmARjNcyYbxMxEdwbpRQGZI8CfUQVd
TvIuUnnXQQMU41ebMb6e8H2RHHi+Ala7JWy56Jd/dpBYliQj++i/0Evr1gM/GY6+
ZhNCs9rWUdEcMCqRulFf3hkWAYSm4It/vg3en81MbLw40fqgGEg=
=7n5A
-----END PGP SIGNATURE-----