-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 11 May 2021 22:10:35 +0200 Source: postgresql-13 Architecture: source Version: 13.3-1 Distribution: unstable Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Closes: 988121 Changes: postgresql-13 (13.3-1) unstable; urgency=medium . * New upstream version. . + Prevent integer overflows in array subscripting calculations (Tom Lane) . The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027) . + Fix mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane) . If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns. . In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028) . + Fix possibly-incorrect computation of UPDATE ... RETURNING outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita) . If an UPDATE for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING results for that row could produce errors or wrong answers. No error is observed unless the UPDATE involves other tables being joined to the target table. (CVE-2021-32029) . * Mark libio-pty-perl and libipc-run-perl as <!nocheck>. (Closes: #988121) Checksums-Sha1: d7cb0dbad7ee0a13853abe7027e4742a26078a19 3655 postgresql-13_13.3-1.dsc 7a775f95367613ed5f7e4cd632586f9628475a92 21119109 postgresql-13_13.3.orig.tar.bz2 ba2728bd3df852ba28b9833c8bb869957ffb1c5c 28020 postgresql-13_13.3-1.debian.tar.xz Checksums-Sha256: 052d8c1b538bb4ddc17378a444e19640f1bcd488474bed233711db38f253b678 3655 postgresql-13_13.3-1.dsc 3cd9454fa8c7a6255b6743b767700925ead1b9ab0d7a0f9dcb1151010f8eb4a1 21119109 postgresql-13_13.3.orig.tar.bz2 07d04c37e345db84bb1b5f0681a6cb5a12544e4f9329c922c75a80580b2ee9f0 28020 postgresql-13_13.3-1.debian.tar.xz Files: a6d7018c18cddc42e8317d8a6803a6e8 3655 database optional postgresql-13_13.3-1.dsc edf0e016fc53025bcabc7e793920f1c1 21119109 database optional postgresql-13_13.3.orig.tar.bz2 ee77db4a44052ca0f7ab5eb5aeae9272 28020 database optional postgresql-13_13.3-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmCc6nwACgkQTFprqxLS p64SrhAAnF+FbLdNq4/Cy0l0AS4PfIl0SDLRSCrrbcWFJ44Yz88m0qAh/C1xjZPZ eB6Jyb34hP7HEkLKD1lvPU7E8aq1sMbnDE0a9NUqc+FAKROQ31kaICHrp8VsyXKb Bxp/6Pr28uAGdA7r72GgmTT9CQeMt10Mzcoh940HvPTPHzQtcj1oMtQd8Do7iq1p t5wukf+W5hkqSNdv805YnWBqxWtrTRD6HKFXQOnsEd11ynJNC87HzdbWBVsSAcDs 9fgAreOujondTLaHJ5QAa0kfPDSTFEO6Jj1oAUKOGZwRQrkR9/hBoKEBivkThP3s zwp7Drc+yt6hzy6qndBl6g/mhrcNqM9oxl4qZOEda7zM3Mfef6u2q6bGV2YZ5r0K ZQ5z0HKEcQSWoJ81VRuRanXlwCHjLPLOtkzjhdQtOV0Hx3Cvt49Ki4HG8YQhDtpT L9y3HyHmCq5Xi4UULjF2jkjdOuxpRbOJTdCwFgCRwcHqt3dnWyh/aEYYwJXE6nTw HoUsXjVMPKihTxI6r5MZWwyNVP7XtRnTqKQa5onaTG1XGKcJKUzRYBFEYGYXrXIO C7PvYhphT/LtI6rFVrW0xuKBw0vgC0dWq2mPexXtxvgajXwiJC01Sqv5XSXxqxef FpzRHbIxXVawLmgXZFSGkZOJV2cT2XvgvLqVOrRSl0MGsYz3skw= =POAc -----END PGP SIGNATURE-----
