-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 13 Aug 2020 10:32:13 +0200 Source: postgresql-9.6 Architecture: source Version: 9.6.19-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-9.6 (9.6.19-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Make contrib modules' installation scripts more secure (Tom Lane) . Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350) Checksums-Sha1: fec48d20c7e39c59e0ccb4eccbc39e720129dbcb 3698 postgresql-9.6_9.6.19-0+deb9u1.dsc 72cde73fffd187bbd2e6c1de6d473cf5578754d2 18880036 postgresql-9.6_9.6.19.orig.tar.bz2 5ccba015e699624f7b83e65959c9d22e745aa0a1 30256 postgresql-9.6_9.6.19-0+deb9u1.debian.tar.xz Checksums-Sha256: 47d25e579a0ce6b10a0be91ccd7f7d932b7d6d50b78c288c62e78a0f52522a2a 3698 postgresql-9.6_9.6.19-0+deb9u1.dsc 61f93a94ccddbe0b2d1afaf03f04ba605d8af5b774ff9b830e5adeb50ab55cb0 18880036 postgresql-9.6_9.6.19.orig.tar.bz2 af121bdb428a6677c097068a2c4cded67aa30fa1fd08af58fcda44c2043a64cb 30256 postgresql-9.6_9.6.19-0+deb9u1.debian.tar.xz Files: 5112bab6e118b6bfb18d7cdeaaaeb258 3698 database optional postgresql-9.6_9.6.19-0+deb9u1.dsc 96d5f5f8e78eea6cada9d2e02718cc28 18880036 database optional postgresql-9.6_9.6.19.orig.tar.bz2 fb9b5e1beffac17a7c39797df4cd7b8a 30256 database optional postgresql-9.6_9.6.19-0+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl80/ewACgkQTFprqxLS p64yiQ/+O+tnXQY2AY6o/ApvgAdwsgr9+LJ04bEzxLD9tKZzYdxFEH7qm5poKtDO pkHSm58q+V9My/hB3PlgGPnOUAlSX+IIF6a1he9GDc4wTOWjl7m0W81t2EU7YmVg fIq1KxoYTfh2eJ5MCxeaFi5P83Plbl9ohFLEJzgPTUhw+ZIHfvtv8yTrIM+OGD2A EhIpIhNQlhUCd5386Mbsw+iW4/XajSzONGqw2nI9XF4f7pgZ8E1ErEmjBVyKsOnE LJBUyPoWA4lXMXtiJlTb65pJES/jrOd3y0Fb3SisQOiug3s2GP5+iKE3MzAA+0ny EnH1GY7va7adH001PxiuPVzmPdpHlzO/B2/RQlu4lhlYTT4uz05OB2V9N7en7N5o fbTDkGFxfVt31C9ZOAnky+XX6SVlRRsyExj4v1RFKTUZ75zdXrBctnb3trmEbRK6 f4PVwcZXgnPuDb4hv1RFkyHHuwQCCfYXSRqANJFeEh+22x0jv9Ewlq05stqZLnn2 pgbUKToPPVNK82KO9/otUEtHUr5AKdGf1KPqBTQj8G56gB+h/lCXpY4eT/ynvQvE 00x2MUOJQ9+yHsEeheZ7yNv+czpMlueG+T1ciaGy8biHN17rY1PkmGKvaPdYmt81 asMNSb1diLIlAMk+4ruNdCxHM2FIIkDYaQDifTxqR+4IJXrJEs4= =gsDu -----END PGP SIGNATURE-----