-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 11 Feb 2020 14:31:19 +0100 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.17-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.17-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. . Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720) Checksums-Sha1: 7b258fee6b9bf07bbd210fad4decb61fe03456e1 3698 postgresql-9.6_9.6.17-0+deb9u1.dsc a2d7fec8edf82bfdef7a2e037fb855830972c262 18812282 postgresql-9.6_9.6.17.orig.tar.bz2 5ff98e34ed2b5316f5daceff632095a0d8907210 29964 postgresql-9.6_9.6.17-0+deb9u1.debian.tar.xz Checksums-Sha256: d7bd776c56f514fcdae757d0bc88b5d3311799eb436e1e389a6c0138c48cb40d 3698 postgresql-9.6_9.6.17-0+deb9u1.dsc f6e1e32d32545f97c066f3c19f4d58dfab1205c01252cf85c5c92294ace1a0c2 18812282 postgresql-9.6_9.6.17.orig.tar.bz2 daae30d27d42300b52aeddd7280e03872bab9fd2baa0f939d6a2674e7172933b 29964 postgresql-9.6_9.6.17-0+deb9u1.debian.tar.xz Files: a4282603914d21bdac1532cb293443a5 3698 database optional postgresql-9.6_9.6.17-0+deb9u1.dsc 4a12dd9e2afe140a8d2d4366471b075f 18812282 database optional postgresql-9.6_9.6.17.orig.tar.bz2 c8fe3a799540162605db6f36ae3f906c 29964 database optional postgresql-9.6_9.6.17-0+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl5CtWoACgkQTFprqxLS p65vBg//Ter/wMWmTxtRxQLgXBmHX+Mmmluy3RwjZnZXfW/OL9ykt7q9si4Tl3oc TrgSt/RSvoodhk3rcR19PEB7NvRmEGem3hAhgMRQs5UVnap9zh0f1dHAfDyZ5Rla bONYLmKJHBnNfuccQcya1F8kc2Z69lNWjCoOOaj9o90gt1LLSaX9ZnN4zhIDQnH2 KRc28+LoXWRfoxDofDkqwDzlXx4gl4UPdghRRJIe0thmvpUSHAFXWcDIW1lCoSWw u1iYSiC6H1+pZCB6P2epB2ae/ne+fkf9BIqWWCqmoeL5taUkZhpq42DadVaWruRN g2FqwE1tDV5Vrx3qT3I1qFdfz8dvct6BFR8/chvuYbO1xirF2CUhyorQJWh+YEc3 73ZKwNWmlve2Dfnyy/vmf0E+1OdcaBJbvks/QT1DwDjmpkzL2yMJb9uzhJcNzkrj tW7AK6jB7TKMU1v0Vfg3PV3LhyAisVAHh+Gm2RHq4PxW/hnmGOo70F+Q+mYP0o1m OFe1MhZnPU2+g1gpiCQVKOK4Bcn2dx8LQHSSYhigTTHNp98dI67qxMNIiLH2+TNt +Pq9XM3oRjBs0kVH3nEDU1UE2RZbpmmbfyyc5JNfu9XcAQSn2a/6+sFuolgeMa3A nCjQ9Pz1py2TaPuGJdpnS4K2j6rs1UXE4pGhob9+Z6OKlFnHp3E= =UUtt -----END PGP SIGNATURE-----