-
postgresql-11 (11.7-0ubuntu0.19.10.1) eoan-security; urgency=medium
* New upstream release (LP: #1863108)
- A dump/restore is not required however, if you use the contrib/intarray
extension with a GiST index, and you rely on indexed searches for the <@
operator, see the release notes for details in regard to a related fix.
- Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION.
Marking an object as dependent on an extension did not have any
privilege check whatsoever. This oversight allowed any user to mark
routines, triggers, materialized views, or indexes as droppable by
anyone able to drop an extension. Require that the calling user own the
specified object (and hence have privilege to drop it). (CVE-2020-1720)
- Details about these and many further changes can be found at:
https://www.postgresql.org/docs/11/static/release-11-6.html
https://www.postgresql.org/docs/11/static/release-11-7.html
-- Christian Ehrhardt <email address hidden> Thu, 13 Feb 2020 15:18:24 +0100
-
postgresql-11 (11.5-1) unstable; urgency=medium
* New upstream version.
+ Fixes regression in ALTER TABLE on multiple columns. (Closes: #932247)
+ No longer picks "UCT" as timezone spelling. (Closes: #929953)
+ Require schema qualification to cast to a temporary type when using
functional cast syntax (Noah Misch)
We have long required invocations of temporary functions to explicitly
specify the temporary schema, that is pg_temp.func_name(args). Require
this as well for casting to temporary types using functional notation,
for example pg_temp.type_name(arg). Otherwise it's possible to capture a
function call using a temporary object, allowing privilege escalation in
much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
+ Fix execution of hashed subplans that require cross-type comparison
(Tom Lane, Andreas Seltenreich)
Hashed subplans used the outer query's original comparison operator to
compare entries of the hash table. This is the wrong thing if that
operator is cross-type, since all the hash table entries will be of the
subquery's output type. For the set of hashable cross-type operators in
core PostgreSQL, this mistake seems nearly harmless on 64-bit machines,
but it can result in crashes or perhaps unauthorized disclosure of
server memory on 32-bit machines. Extensions might provide hashable
cross-type operators that create larger risks. (CVE-2019-10209)
* debian/pycompat: Obsolete, remove.
* debian/patches: Add missing patch documentation.
* debian/rules: Use /usr/share/dpkg/pkg-info.mk and vendor.mk for
--with-extra-version.
* debian/*.symbols: Add Build-Depends-Package information.
* debian/tests: Also run regression tests.
* debian/tests/control: Add fakeroot to dependencies.
-- Christoph Berg <email address hidden> Wed, 07 Aug 2019 11:36:28 +0200
-
postgresql-11 (11.4-1.1~ubuntu1) eoan; urgency=medium
* Remove sticky bit of /tmp for autopkgtests and mark test as breaks-testbed
This fixes tests with systemd 242
-- Balint Reczey <email address hidden> Tue, 30 Jul 2019 23:26:31 +0200
-
postgresql-11 (11.4-1.1~build1) eoan; urgency=medium
* Upload to Ubuntu, make it autosyncable again.
- the fakeroot fix has been uploaded in postgresql-common
-- Gianfranco Costamagna <email address hidden> Fri, 12 Jul 2019 15:18:23 +0200
-
postgresql-11 (11.4-1ubuntu1) eoan; urgency=medium
* Add fakeroot to test dependencies, required by new postgresql-common
package (this has been discussed on debian-devel irc channel)
-- Gianfranco Costamagna <email address hidden> Sat, 06 Jul 2019 11:46:51 +0200
-
postgresql-11 (11.4-1) unstable; urgency=medium
* New upstream version.
+ Fix buffer-overflow hazards in SCRAM verifier parsing
(Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by
changing their own password to a purpose-crafted value. In addition to
the ability to crash the PostgreSQL server, this could suffice for
executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue
server to crash a client or perhaps execute arbitrary code as the
client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this
problem. (CVE-2019-10164)
-- Christoph Berg <email address hidden> Tue, 18 Jun 2019 11:03:14 +0200
-
postgresql-11 (11.3-1) unstable; urgency=medium
* New upstream version.
+ Prevent row-level security policies from being bypassed via selectivity
estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined
operators to values found in pg_statistic (e.g., most-common values).
A leaky operator therefore can disclose some of the entries in a data
column, even if the calling user lacks permission to read that column.
In CVE-2017-7484 we added restrictions to forestall that, but we failed
to consider the effects of row-level security. A user who has SQL
permission to read a column, but who is forbidden to see certain rows
due to RLS policy, might still learn something about those rows'
contents via a leaky operator. This patch further tightens the rules,
allowing leaky operators to be applied to statistics data only when
there is no relevant RLS policy. (CVE-2019-10130)
+ Avoid access to already-freed memory during partition routing error
reports (Michael Paquier)
This mistake could lead to a crash, and in principle it might be
possible to use it to disclose server memory contents. (CVE-2019-10129)
-- Christoph Berg <email address hidden> Tue, 07 May 2019 12:04:34 +0200
-
postgresql-11 (11.2-2) unstable; urgency=medium
* Allow overriding the startup command suggested by initdb.
(See: #872660)
-- Christoph Berg <email address hidden> Fri, 01 Mar 2019 18:59:15 +0100
-
postgresql-11 (11.2-1) unstable; urgency=medium
* New upstream version.
* Add Breaks on modules needing recompilation against heap_getattr().
* Debconf translations:
+ ru by Lev Lamberov. (Closes: #920893)
+ nl by Frans Spiesschaert. (Closes: #921090)
+ fr by Jean-Pierre Giraud. (Closes: #920499)
+ pt_BR by Adriano Rafael Gomes. (Closes: #920541)
* Update PostgreSQL Maintainers address.
-- Christoph Berg <email address hidden> Wed, 30 Jan 2019 13:23:14 +0100