[Pkg-postgresql-public] Accepted postgresql-9.6 9.6.8-0+deb9u1 (source) into proposed-updates->stable-new, proposed-updates

[Christoph Berg]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 27 Feb 2018 13:14:39 +0100
Source: postgresql-9.6
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 
postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 
postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 
postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 
postgresql-pltcl-9.6
Architecture: source
Version: 9.6.8-0+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers 

Changed-By: Christoph Berg 
Description:
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5 - PostgreSQL C client library
 postgresql-9.6 - object-relational SQL database, version 9.6 server
 postgresql-9.6-dbg - debug symbols for postgresql-9.6
 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6
 postgresql-contrib-9.6 - additional facilities for PostgreSQL
 postgresql-doc-9.6 - documentation for the PostgreSQL database management 
system
 postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6
 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6
 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6
 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6
 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side 
programming
Changes:
 postgresql-9.6 (9.6.8-0+deb9u1) stretch; urgency=medium
 .
   * New upstream version.
 .
 If you run an installation in which not all users are mutually
 trusting, or if you maintain an application or extension that is
 intended for use in arbitrary situations, it is strongly recommended
 that you read the documentation changes described in the first changelog
 entry below, and take suitable steps to ensure that your installation or
 code is secure.
 .
 Also, the changes described in the second changelog entry below may
 cause functions used in index expressions or materialized views to fail
 during auto-analyze, or when reloading from a dump.  After upgrading,
 monitor the server logs for such problems, and fix affected functions.
 .
 + Document how to configure installations and applications to guard
   against search-path-dependent trojan-horse attacks from other users
 .
   Using a search_path setting that includes any schemas writable by a
   hostile user enables that user to capture control of queries and then
   run arbitrary SQL code with the permissions of the attacked user.  While
   it is possible to write queries that are proof against such hijacking,
   it is notationally tedious, and it's very easy to overlook holes.
   Therefore, we now recommend configurations in which no untrusted schemas
   appear in one's search path.
   (CVE-2018-1058)
 .
 + Avoid use of insecure search_path settings in pg_dump and other client
   programs
 .
   pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
   were themselves vulnerable to the type of hijacking described in the
   previous changelog entry; since these applications are commonly run by
   superusers, they present particularly attractive targets.  To make them
   secure whether or not the installation as a whole has been secured,
   modify them to include only the pg_catalog schema in their search_path
   settings. Autovacuum worker processes now do the same, as well.
 .
   In cases where user-provided functions are indirectly executed by these
   programs -- for example, user-provided functions in index expressions --
   the tighter search_path may result in errors, which will need to be
   corrected by adjusting those user-provided functions to not assume
   anything about what search path they are invoked under.  That has always
   been good practice, but now it will be necessary for correct behavior.
   (CVE-2018-1058)
Checksums-Sha1:
 c7bcea2bc6c27b602027e931d80e7a917b082bc5 3694 postgresql-9.6_9.6.8-0+deb9u1.dsc
 8e610dd8dbaab69982d12324971b0c6b5225142f 19528927 
postgresql-9.6_9.6.8.orig.tar.bz2
 3b8957550448a7337d078eefc9f102f34b5f2c7a 23000 
postgresql-9.6_9.6.8-0+deb9u1.debian.tar.xz
 8a147516e8dc0038a5bb4b06fc3393dfdc8f6839 8653 
postgresql-9.6_9.6.8-0+deb9u1_source.buildinfo
Checksums-Sha256:
 415ef4a3d1cf94881b30b631232a01d57d48ec9ba809d94d18c468024e8c828b 3694 
postgresql-9.6_9.6.8-0+deb9u1.dsc
 eafdb3b912e9ec34bdd28b651d00226a6253ba65036cb9a41cad2d9e82e3eb70 19528927 
postgresql-9.6_9.6.8.orig.tar.bz2
 98b2188e97de64729795c2ec33617f5495af7eb2b64ea83138f7ce482f49b74b 

[Pkg-postgresql-public] postgresql-9.4_9.4.17-0+deb8u1_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 27 Feb 2018 13:20:22 +0100
Source: postgresql-9.4
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 
postgresql-9.4 postgresql-9.4-dbg postgresql-client-9.4 
postgresql-server-dev-9.4 postgresql-doc-9.4 postgresql-contrib-9.4 
postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4 
postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.17-0+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers 

Changed-By: Christoph Berg 
Description:
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.4
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5 - PostgreSQL C client library
 postgresql-9.4 - object-relational SQL database, version 9.4 server
 postgresql-9.4-dbg - debug symbols for postgresql-9.4
 postgresql-client-9.4 - front-end programs for PostgreSQL 9.4
 postgresql-contrib-9.4 - additional facilities for PostgreSQL
 postgresql-doc-9.4 - documentation for the PostgreSQL database management 
system
 postgresql-plperl-9.4 - PL/Perl procedural language for PostgreSQL 9.4
 postgresql-plpython-9.4 - PL/Python procedural language for PostgreSQL 9.4
 postgresql-plpython3-9.4 - PL/Python 3 procedural language for PostgreSQL 9.4
 postgresql-pltcl-9.4 - PL/Tcl procedural language for PostgreSQL 9.4
 postgresql-server-dev-9.4 - development files for PostgreSQL 9.4 server-side 
programming
Changes:
 postgresql-9.4 (9.4.17-0+deb8u1) jessie; urgency=medium
 .
   * New upstream version.
 .
 If you run an installation in which not all users are mutually
 trusting, or if you maintain an application or extension that is
 intended for use in arbitrary situations, it is strongly recommended
 that you read the documentation changes described in the first changelog
 entry below, and take suitable steps to ensure that your installation or
 code is secure.
 .
 Also, the changes described in the second changelog entry below may
 cause functions used in index expressions or materialized views to fail
 during auto-analyze, or when reloading from a dump.  After upgrading,
 monitor the server logs for such problems, and fix affected functions.
 .
 + Document how to configure installations and applications to guard
   against search-path-dependent trojan-horse attacks from other users
 .
   Using a search_path setting that includes any schemas writable by a
   hostile user enables that user to capture control of queries and then
   run arbitrary SQL code with the permissions of the attacked user.  While
   it is possible to write queries that are proof against such hijacking,
   it is notationally tedious, and it's very easy to overlook holes.
   Therefore, we now recommend configurations in which no untrusted schemas
   appear in one's search path.
   (CVE-2018-1058)
 .
 + Avoid use of insecure search_path settings in pg_dump and other client
   programs
 .
   pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
   were themselves vulnerable to the type of hijacking described in the
   previous changelog entry; since these applications are commonly run by
   superusers, they present particularly attractive targets.  To make them
   secure whether or not the installation as a whole has been secured,
   modify them to include only the pg_catalog schema in their search_path
   settings. Autovacuum worker processes now do the same, as well.
 .
   In cases where user-provided functions are indirectly executed by these
   programs -- for example, user-provided functions in index expressions --
   the tighter search_path may result in errors, which will need to be
   corrected by adjusting those user-provided functions to not assume
   anything about what search path they are invoked under.  That has always
   been good practice, but now it will be necessary for correct behavior.
   (CVE-2018-1058)
Checksums-Sha1:
 858ea950441266defbc5187cc618d97a86f96dcf 3546 
postgresql-9.4_9.4.17-0+deb8u1.dsc
 e9de67c092dc2fed53db86fd25c5bd167e372876 17807648 
postgresql-9.4_9.4.17.orig.tar.bz2
 6e56790e98d6eaa5ef9d3d7f7ecf5ced152a0d3d 26016 
postgresql-9.4_9.4.17-0+deb8u1.debian.tar.xz
 48f9e7b445b0baa5d92f729f7af28d31b669357f 166806 
libpq-dev_9.4.17-0+deb8u1_amd64.deb
 1794b1ae23e27a26bbe6007cd62b1173c96ead02 127752 
libpq5_9.4.17-0+deb8u1_amd64.deb
 687cc33124a8b0f71d64ec59ce53f89e24400b07 83230 
libecpg6_9.4.17-0+deb8u1_amd64.deb
 25f387619ec81938d275c4740645105e239405cc 220240 
libecpg-dev_9.4.17-0+deb8u1_amd64.deb
 

[Pkg-postgresql-public] postgresql-9.6_9.6.8-0+deb9u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 27 Feb 2018 13:14:39 +0100
Source: postgresql-9.6
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 
postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 
postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 
postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 
postgresql-pltcl-9.6
Architecture: source
Version: 9.6.8-0+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers 

Changed-By: Christoph Berg 
Description:
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5 - PostgreSQL C client library
 postgresql-9.6 - object-relational SQL database, version 9.6 server
 postgresql-9.6-dbg - debug symbols for postgresql-9.6
 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6
 postgresql-contrib-9.6 - additional facilities for PostgreSQL
 postgresql-doc-9.6 - documentation for the PostgreSQL database management 
system
 postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6
 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6
 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6
 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6
 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side 
programming
Changes:
 postgresql-9.6 (9.6.8-0+deb9u1) stretch; urgency=medium
 .
   * New upstream version.
 .
 If you run an installation in which not all users are mutually
 trusting, or if you maintain an application or extension that is
 intended for use in arbitrary situations, it is strongly recommended
 that you read the documentation changes described in the first changelog
 entry below, and take suitable steps to ensure that your installation or
 code is secure.
 .
 Also, the changes described in the second changelog entry below may
 cause functions used in index expressions or materialized views to fail
 during auto-analyze, or when reloading from a dump.  After upgrading,
 monitor the server logs for such problems, and fix affected functions.
 .
 + Document how to configure installations and applications to guard
   against search-path-dependent trojan-horse attacks from other users
 .
   Using a search_path setting that includes any schemas writable by a
   hostile user enables that user to capture control of queries and then
   run arbitrary SQL code with the permissions of the attacked user.  While
   it is possible to write queries that are proof against such hijacking,
   it is notationally tedious, and it's very easy to overlook holes.
   Therefore, we now recommend configurations in which no untrusted schemas
   appear in one's search path.
   (CVE-2018-1058)
 .
 + Avoid use of insecure search_path settings in pg_dump and other client
   programs
 .
   pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
   were themselves vulnerable to the type of hijacking described in the
   previous changelog entry; since these applications are commonly run by
   superusers, they present particularly attractive targets.  To make them
   secure whether or not the installation as a whole has been secured,
   modify them to include only the pg_catalog schema in their search_path
   settings. Autovacuum worker processes now do the same, as well.
 .
   In cases where user-provided functions are indirectly executed by these
   programs -- for example, user-provided functions in index expressions --
   the tighter search_path may result in errors, which will need to be
   corrected by adjusting those user-provided functions to not assume
   anything about what search path they are invoked under.  That has always
   been good practice, but now it will be necessary for correct behavior.
   (CVE-2018-1058)
Checksums-Sha1:
 c7bcea2bc6c27b602027e931d80e7a917b082bc5 3694 postgresql-9.6_9.6.8-0+deb9u1.dsc
 8e610dd8dbaab69982d12324971b0c6b5225142f 19528927 
postgresql-9.6_9.6.8.orig.tar.bz2
 3b8957550448a7337d078eefc9f102f34b5f2c7a 23000 
postgresql-9.6_9.6.8-0+deb9u1.debian.tar.xz
 8a147516e8dc0038a5bb4b06fc3393dfdc8f6839 8653 
postgresql-9.6_9.6.8-0+deb9u1_source.buildinfo
Checksums-Sha256:
 415ef4a3d1cf94881b30b631232a01d57d48ec9ba809d94d18c468024e8c828b 3694 
postgresql-9.6_9.6.8-0+deb9u1.dsc
 eafdb3b912e9ec34bdd28b651d00226a6253ba65036cb9a41cad2d9e82e3eb70 19528927 
postgresql-9.6_9.6.8.orig.tar.bz2