Mapping stretch to stable. Mapping stable to proposed-updates. Accepted:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 27 Feb 2018 13:14:39 +0100 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.8-0+deb9u1 Distribution: stretch Urgency: medium Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org> Changed-By: Christoph Berg <christoph.b...@credativ.de> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.8-0+deb9u1) stretch; urgency=medium . * New upstream version. . If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. . Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. . + Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users . Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) . + Avoid use of insecure search_path settings in pg_dump and other client programs . pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. . In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) Checksums-Sha1: c7bcea2bc6c27b602027e931d80e7a917b082bc5 3694 postgresql-9.6_9.6.8-0+deb9u1.dsc 8e610dd8dbaab69982d12324971b0c6b5225142f 19528927 postgresql-9.6_9.6.8.orig.tar.bz2 3b8957550448a7337d078eefc9f102f34b5f2c7a 23000 postgresql-9.6_9.6.8-0+deb9u1.debian.tar.xz 8a147516e8dc0038a5bb4b06fc3393dfdc8f6839 8653 postgresql-9.6_9.6.8-0+deb9u1_source.buildinfo Checksums-Sha256: 415ef4a3d1cf94881b30b631232a01d57d48ec9ba809d94d18c468024e8c828b 3694 postgresql-9.6_9.6.8-0+deb9u1.dsc eafdb3b912e9ec34bdd28b651d00226a6253ba65036cb9a41cad2d9e82e3eb70 19528927 postgresql-9.6_9.6.8.orig.tar.bz2 98b2188e97de64729795c2ec33617f5495af7eb2b64ea83138f7ce482f49b74b 23000 postgresql-9.6_9.6.8-0+deb9u1.debian.tar.xz fedf8b2245e6756d61db67af1931fb80cda381d6de993fc73d7d2aebb182761e 8653 postgresql-9.6_9.6.8-0+deb9u1_source.buildinfo Files: 96717a1cba3677f742104bec7bb86006 3694 database optional postgresql-9.6_9.6.8-0+deb9u1.dsc 4c907252d166eabe2fc2b5cc3f034583 19528927 database optional postgresql-9.6_9.6.8.orig.tar.bz2 ca5518d41a912bb91ba60fd67fdf9d57 23000 database optional postgresql-9.6_9.6.8-0+deb9u1.debian.tar.xz e31ffbf69df2ce4761ace31d0710b809 8653 database optional postgresql-9.6_9.6.8-0+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAlqeT9IACgkQTFprqxLS p67uzRAAn+nFbJzIgnSXAoY9ahMFRwjeneB5xFdIOWqXjM6wR+wFbPK2CxlBaEKA tI34n/7pbPwr9wmTEZpwroE41r9bi6cT7e3vI8rqZSpgnNJDGCu8r2Rr7YpJ1lfu wuW7OgasVqlKCpb6XtXK+GwswE88f6foUv2K+sRWj4hQtNNZn7jH+ykb3uC3KjlR mkDRfHtitGqV6n1acb6H4Ryb/0+ul6eWOP3bo8y0mmb1gWpTmoG65sUgjvOeCbBf pZLfIAUHZhht7beZ6oESADsWylto49yr9b+rfQQ1WbwTZ3XzZZwaR01odGV32zUR +4nWj/kvC8eQhciXHaBBMwNhQFmZPGe/jjkVYjXSZyAbm/LJ5AvFKcxPa4SrHF4H gSnXFggdlw3ODIUy631oPcTJgGuIs7lRCKB+zmrO6TynAeDvb1qN5OdysQbUjORT Z7vWGLUkaqm4kPgBEIMjZPf31fYbJU/YpVgVKw06ZGx/KomoA+J0D4kAj6053uVU 2DAKgbjuPq9/S45bvUc5EML6s1J1xDonzVTZ66PuTMa+aesAgHfG4wWG3SczXmDm HC1U5MC31hUXj9JItjmfl7hMT3ee4ll9Bc3BR/1Bglv1ntjDPc4FPnZ5iekj7+x7 /0E9+WQFII3mbas0Z4UtmR3BKsp2pt+MSt/rQwzbeG6eDzGPx4g= =ofWl -----END PGP SIGNATURE----- Thank you for your contribution to Debian. _______________________________________________ Pkg-postgresql-public mailing list Pkg-postgresql-public@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public