-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 11 Feb 2020 13:48:46 +0100 Source: postgresql-11 Architecture: source Version: 11.7-0+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-11 (11.7-0+deb10u1) buster-security; urgency=medium . * New upstream version. + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. . Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720) Checksums-Sha1: 3d8802846889cbcada016f2158db426a3ddd1260 3738 postgresql-11_11.7-0+deb10u1.dsc 5d696680c45fbd3f379db16447c6fa878e662820 19890063 postgresql-11_11.7.orig.tar.bz2 a5fe12d3cf466e97e31d6d111e4f891685a5f264 24952 postgresql-11_11.7-0+deb10u1.debian.tar.xz Checksums-Sha256: 5729f856ae9818e5c1c1f9be61aab55a8a7dea81b30749670ae531c2c145e564 3738 postgresql-11_11.7-0+deb10u1.dsc 324ae93a8846fbb6a25d562d271bc441ffa8794654c5b2839384834de220a313 19890063 postgresql-11_11.7.orig.tar.bz2 dc9097b4d54d393f3e01d90485ea047a401fa12cba814395937047da89616fe3 24952 postgresql-11_11.7-0+deb10u1.debian.tar.xz Files: 7bc15f0b6182f7c7c6754fac1eead837 3738 database optional postgresql-11_11.7-0+deb10u1.dsc 1cf8e7533b103e2aa9de6e76d477f67d 19890063 database optional postgresql-11_11.7.orig.tar.bz2 e832081e90a84c42a84e765206df22bd 24952 database optional postgresql-11_11.7-0+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl5CrEQACgkQTFprqxLS p663Cw/+NNaAhduF+j+VHJnO/swFuUgoCzknHblduVgWv3kyASP/Blt3U+vNzD43 474cGZOIe3+RbGq8NQeE1zD+gW1uyGPrlO9NOz1alYYUlY3SLiJpS5onduSzkgDn 8h6hekbqIEIxg8SQH+fCJYQSAlQFCEnCpey+D/ESdrMxUODwNZrobdVF+urDHJp/ O63AGNmS4jK1naXnWxc3x/GSIyU7yoymVeBFFwv/o8uQz1j0M+AAVzQkJmHfgNbN zikIVz5kUt41RKREW9xK5dBNwEyUI+fyKKYF9yJQtULFCS4LIHpOBDmCYx9lt7gq ukuKNMU5AWXiaYPwVbhDvBYR7cX6c3ykL3AX8fnWzcr3B1rToRVONUUMA5yDgn4B CZKQ5Xei9uZuz0I5DVx7zmUBoplEf9Aep3nLBYd85TvnsAHWzI+PLjxvvwbqPRMZ Iuh/B9w+Z1eZQ0fOjvx+GbaZ/r3KkVL6oR85wMmpfuaBCMKILVvkwzHjEdMAIYck Fr4M3PkE8z616h5ZucbsMXCw0D3fIcNHtgyWIb93kl95MJFejJE3NDJ+b9QOgpGH 1l0Ocv85NiUPjasV+Vgi9GVMrIEisAtp+6VIevuZVI8nOa5dzZqKXnKLJDlGA+Si KQj7J6p+uu/GOPicvVnnWE5RNjpsLrKcj1JP65BN2YzdaprTdnc= =YcPd -----END PGP SIGNATURE-----