-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 08 Aug 2019 15:22:02 +0200 Source: postgresql-11 Architecture: source Version: 11.5-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Closes: 929953 932247 Changes: postgresql-11 (11.5-1+deb10u1) buster-security; urgency=high . * New upstream security release. + Fixes regression in ALTER TABLE on multiple columns. (Closes: #932247) . + No longer picks "UCT" as timezone spelling. (Closes: #929953) . + Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch) . We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208) . + Fix execution of hashed subplans that require cross-type comparison (Tom Lane, Andreas Seltenreich) . Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209) Checksums-Sha1: e5e059fd0070a341cf0c7e88f2cbe1419bf94100 3738 postgresql-11_11.5-1+deb10u1.dsc 24ceee589a0aec775ea7c4c4a001c710ff27a0d4 19773087 postgresql-11_11.5.orig.tar.bz2 f51cd2a66f2f70b3df1b54b4e8d68083930f1504 24772 postgresql-11_11.5-1+deb10u1.debian.tar.xz Checksums-Sha256: 863ba2eef964710fc55df55f69cc2503ae7b08d991f8144281c90db2281051ab 3738 postgresql-11_11.5-1+deb10u1.dsc 7fdf23060bfc715144cbf2696cf05b0fa284ad3eb21f0c378591c6bca99ad180 19773087 postgresql-11_11.5.orig.tar.bz2 24d435fe5ef3ae9b7816724a034177a79c92136c01cb704f258e829c7a2aabae 24772 postgresql-11_11.5-1+deb10u1.debian.tar.xz Files: 81b62fbb872ee1ac29c822538e91764b 3738 database optional postgresql-11_11.5-1+deb10u1.dsc 580da94f6d85046ff2a228785ab2cc89 19773087 database optional postgresql-11_11.5.orig.tar.bz2 6cf22c60076cf1a5e05e399ba532f919 24772 database optional postgresql-11_11.5-1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl1MI/kACgkQTFprqxLS p65arw/9F3zh338NWhEAAEv4TrxPO1Eeb2FIpUzsUN8fwzAHIo4hxdo+edPpukDe Ys/IMYNZz4750ZztRGqRW1x8nMXFmx1/q1OPDxHjWUX13o8+VzAjBcajglo/sgOC BHaJQ8PXG7XtbOceymDaBAAHN89FTmbIdBGr+8GfWLna1Y56IQKXNqvmLvh8JiD5 tijtADn7nawbgw58cYg3JJi3y5o7lNK+jr2wLVPRfxAZwmX8ExU8tLu0wcN2IlhV vMN3gVfCWjkPzWESdGopLwNNvWqRCmPDpkL6b7TxS63geFNvAs8WuykaH1efMdu0 4HBJH+2og9g94m6p6vt8AfwKZ6aTroiFgPPsq/X0LgdpVUlLYrby1+zLbbX/lR9k rPzcH1giAOfULfsWetGva9IIU3+0vPxfpd4jJExvyYII+JRMWpcajplPrOoC94BX 3CF5etn5+ZuiSSbBoXvS32xe9OFEiAOkBNUs0YSWJPDSBhUg5jyXTvBnsz1inPU5 Ab/DMaqaymuExt/TFeMTF4WJWH+wdoRAXpI6brJ0MyEdiGJOS9frEkyId+C/MksR 9feEfYVvTH6VdnAf/n5IcC6g/MPQFmJMto1bWJ63M/dFCOxKWQdRSt9dwK+mrs3C OteaFtlrkVR9fd9CVzpbs69U13awgLq2+FQYt0bFne156MRKlZA= =Is4L -----END PGP SIGNATURE-----
