-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 09 Jan 2020 18:52:09 +0100 Source: postgresql-12 Architecture: source Version: 12.2-1 Distribution: unstable Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-12 (12.2-1) unstable; urgency=medium . * New upstream version. + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. . Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720) . * Disable llvm on riscv64 again, it's broken. * Set PROVE_FLAGS="--verbose". Checksums-Sha1: 7178862a40c23084b2610b5ec189f7ac7b4f3ef5 3591 postgresql-12_12.2-1.dsc 43b079f3446b7270e42abfe44859f11a471908a5 20363545 postgresql-12_12.2.orig.tar.bz2 2758a3c3ec733f46d08bea2f81fec1cd1ad2b309 22796 postgresql-12_12.2-1.debian.tar.xz Checksums-Sha256: 2a1f0fe2f9187579b7d6be5811c2c9e8246a4fc6576bf866d5b041080b0173c4 3591 postgresql-12_12.2-1.dsc ad1dcc4c4fc500786b745635a9e1eba950195ce20b8913f50345bb7d5369b5de 20363545 postgresql-12_12.2.orig.tar.bz2 cf7bba725dfd2d8094ef0d1c808761f20868a001f0de2ca0affe046fb5407648 22796 postgresql-12_12.2-1.debian.tar.xz Files: 155432ed46604fbbddf2595ff96a7b34 3591 database optional postgresql-12_12.2-1.dsc a88ceea8ecf2741307f663e4539b58b7 20363545 database optional postgresql-12_12.2.orig.tar.bz2 750703eb64512e7279f7945950ced8b0 22796 database optional postgresql-12_12.2-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl5FRNoACgkQTFprqxLS p65Maw//Xml5MVxlDozbVhQid2ho7hOQ9X5dngUwNXpYCJW2DNHI1zIusEX1m5+6 jOJ8RQ8m9n0KfQJJ2JBPPnOkEPpEoqyei8ITiWRU6YWW4yAM/BHyMHntTdseXPxF mj2PBzVreM7bHSxbEfvbXni1R6JrdEm7gPUbdcEH4b+1tTDxOz+3Mp0UlE/vvks9 POKLzzXzlzqS0FqRh+o4dPhEV10buXd+RUvaiOcplQFjrWuAOUp6lCi6xXuu5/If 9VTkxedGzU2UfmAEH9KTjk3oSyzRIb5GmR5qAYfzkqoNnqTfqV3trZl0WcleVZ1o 3/QOS3/4SdezvPu9FeZYlDX/kAnxK/yOA3mwz8HjXmh7fuqAaHkZpySMf1EHrniM Bqancrm6kNXFPa5nuf/iES61MlNFd5sKHacF5MlvKDGvf3njx1+lV6yrMXOjsr0b OeZurfFl6kXVsEESGZHvqhX1vj3zWNaanyMKl3TI9W2ySLsprvu0I3ULc6A0r4yO Fiy5xKk3+2cWPQdcV9RmxP377Mg9isLVXgE2SR14TlXeQgdbpvZMPFBGP5SWev2X qtXtu3LRfZOv2OrPTRYIf6p3BWGOUi6zifZJxFLw0UdURCnj6JeHlt0dBpI2TmLU IoGzkD5Em/UdOUVJZ0MSZgL6gPyQ8GOjqFaFn0iQHYdp4qhANys= =OZfo -----END PGP SIGNATURE-----