Publishing details
Changelog
postgresql-10 (10.3-1) unstable; urgency=medium
* New upstream version.
If you run an installation in which not all users are mutually
trusting, or if you maintain an application or extension that is
intended for use in arbitrary situations, it is strongly recommended
that you read the documentation changes described in the first changelog
entry below, and take suitable steps to ensure that your installation or
code is secure.
Also, the changes described in the second changelog entry below may
cause functions used in index expressions or materialized views to fail
during auto-analyze, or when reloading from a dump. After upgrading,
monitor the server logs for such problems, and fix affected functions.
+ Document how to configure installations and applications to guard
against search-path-dependent trojan-horse attacks from other users
Using a search_path setting that includes any schemas writable by a
hostile user enables that user to capture control of queries and then
run arbitrary SQL code with the permissions of the attacked user. While
it is possible to write queries that are proof against such hijacking,
it is notationally tedious, and it's very easy to overlook holes.
Therefore, we now recommend configurations in which no untrusted schemas
appear in one's search path.
(CVE-2018-1058)
+ Avoid use of insecure search_path settings in pg_dump and other client
programs
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
were themselves vulnerable to the type of hijacking described in the
previous changelog entry; since these applications are commonly run by
superusers, they present particularly attractive targets. To make them
secure whether or not the installation as a whole has been secured,
modify them to include only the pg_catalog schema in their search_path
settings. Autovacuum worker processes now do the same, as well.
In cases where user-provided functions are indirectly executed by these
programs -- for example, user-provided functions in index expressions --
the tighter search_path may result in errors, which will need to be
corrected by adjusting those user-provided functions to not assume
anything about what search path they are invoked under. That has always
been good practice, but now it will be necessary for correct behavior.
(CVE-2018-1058)
-- Christoph Berg <email address hidden> Tue, 27 Feb 2018 12:54:34 +0100
Builds
Built packages
-
libecpg-compat3
older version of run-time library for ECPG programs
-
libecpg-compat3-dbgsym
debug symbols for libecpg-compat3
-
libecpg-dev
development files for ECPG (Embedded PostgreSQL for C)
-
libecpg-dev-dbgsym
debug symbols for libecpg-dev
-
libecpg6
run-time library for ECPG programs
-
libecpg6-dbgsym
debug symbols for libecpg6
-
libpgtypes3
shared library libpgtypes for PostgreSQL 10
-
libpgtypes3-dbgsym
debug symbols for libpgtypes3
-
libpq-dev
header files for libpq5 (PostgreSQL library)
-
libpq5
PostgreSQL C client library
-
libpq5-dbgsym
debug symbols for libpq5
-
postgresql-10
object-relational SQL database, version 10 server
-
postgresql-10-dbgsym
debug symbols for postgresql-10
-
postgresql-client-10
front-end programs for PostgreSQL 10
-
postgresql-client-10-dbgsym
debug symbols for postgresql-client-10
-
postgresql-doc-10
documentation for the PostgreSQL database management system
-
postgresql-plperl-10
PL/Perl procedural language for PostgreSQL 10
-
postgresql-plperl-10-dbgsym
debug symbols for postgresql-plperl-10
-
postgresql-plpython-10
PL/Python procedural language for PostgreSQL 10
-
postgresql-plpython-10-dbgsym
debug symbols for postgresql-plpython-10
-
postgresql-plpython3-10
PL/Python 3 procedural language for PostgreSQL 10
-
postgresql-plpython3-10-dbgsym
debug symbols for postgresql-plpython3-10
-
postgresql-pltcl-10
PL/Tcl procedural language for PostgreSQL 10
-
postgresql-pltcl-10-dbgsym
debug symbols for postgresql-pltcl-10
-
postgresql-server-dev-10
development files for PostgreSQL 10 server-side programming
-
postgresql-server-dev-10-dbgsym
debug symbols for postgresql-server-dev-10
Package files