-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 01 Dec 2020 12:11:51 +0100 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.20-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Closes: 974063 Changes: postgresql-9.6 (9.6.20-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Fixes timetz regression test failures. (Closes: #974063) . + Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch) . This is essentially a leak in the security restricted operation sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser. . The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695) . + Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane) . The -d parameter of pg_dump and pg_restore, or the --maintenance-db parameter of the other programs mentioned, can be a connection string containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. (CVE-2020-25694) . + When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane) . This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. (CVE-2020-25694) . + Prevent psql's \gset command from modifying specially-treated variables (Noah Misch) . \gset without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1, giving the ability to execute arbitrary shell code in the user's session. . The PostgreSQL Project thanks Nick Cleaton for reporting this problem. (CVE-2020-25696) Checksums-Sha1: 4f02f68591ef4abb7486a401b7d43dc50026bb61 3701 postgresql-9.6_9.6.20-0+deb9u1.dsc 13aa206da020a550e56dbf524ca227bc2191fa48 18944478 postgresql-9.6_9.6.20.orig.tar.bz2 85a1c2e144c990100bcec3219c81f389cf465a8e 177896 postgresql-9.6_9.6.20-0+deb9u1.debian.tar.xz Checksums-Sha256: 587f13783bf63e7d02d7753014f2fed9107e6027c49dfa82bcb9f9b56353455a 3701 postgresql-9.6_9.6.20-0+deb9u1.dsc 3d08cba409d45ab62d42b24431a0d55e7537bcd1db2d979f5f2eefe34d487bb6 18944478 postgresql-9.6_9.6.20.orig.tar.bz2 e2284c1def58fc13f2a4fde2d105beec80c4d71dc94aee262b99d858a04b5d32 177896 postgresql-9.6_9.6.20-0+deb9u1.debian.tar.xz Files: 4acac74202fb195e07769bc4f2f81449 3701 database optional postgresql-9.6_9.6.20-0+deb9u1.dsc 652f2c5eb1a3b0368000717a0e7c36f0 18944478 database optional postgresql-9.6_9.6.20.orig.tar.bz2 0e0689f8fe3df6a3da133de0fc572c0c 177896 database optional postgresql-9.6_9.6.20-0+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl/GLKUACgkQTFprqxLS p67ejA//ZEW8tv487vxhpZDnS8hdDakIc49DT71s9WaorbyChy67/LnKx5JfVvJo 9FG7YHgciFzw+pLUnaNv19N6iP81RSNiNUeYFhllkdTNLqqxrgP5nw3abZWece9v K15FYyR0e+U+9rW0gCbnrvRJfrIj9agFoxW6Wo+raZQJb3bUOR+d0tiTAkIlYNFK vsmvqs1oykrwg2ctDWPk7wG2bxQUeMuMoJC5D0dBkEaqy64dLbBweLMnU17lcUHh bMwCRP/q78NfCvpAwo8GpfZ5/SqOR5LhNZN+OnlHwAOPq9ElPFAnfkCn+38Tk781 sDpFnJw3rFHUen6SSjZ9uvoSYnBYtx3bq9txlmSfqd7QL7eQtCp9PpaouSqiX+71 J9Oa+p+H7/JgPAqNa7jMMO0w8WgboL+OB/w3hKqaGSwA4ws9CvuHILLfvdQ31hTI RimdYk6qZUdn5xwHOdZwhdVg0BUDlDG7zUXSOHIHOZ5ePcagPF6rvd6+xjU11ehs Ip2Xec/o8GjpqkNJkbBLCyarMFAv+tFkEjUoYDZHWrW90Pp9dtVxqQ7tb5mPbZj2 lxVIDtHkkInPE6M53ym2hHk8TP46YQnHqHQtOTtg5yWbOqMSyZnoXqmdbgI26Zej Elk3oAiFoBvXdsX327p1+FVy61iGVxOorOLpwb4oU2hJR4RuKNY= =Guus -----END PGP SIGNATURE-----
