-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 12 May 2021 16:53:28 +0200 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.22-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.22-0+deb9u1) stretch-security; urgency=medium . * New upstream version. . + Prevent integer overflows in array subscripting calculations (Tom Lane) . The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027) . + Fix mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane) . If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns. . In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028) Checksums-Sha1: 0221bec6cfbc94ca62d1e9bf4fed46a505074c86 3698 postgresql-9.6_9.6.22-0+deb9u1.dsc e56f90d8c25443d61c09226c011ae53eaff58bd8 19003741 postgresql-9.6_9.6.22.orig.tar.bz2 ad980e177da07c3715c90ccddf4abd9391251d1a 31704 postgresql-9.6_9.6.22-0+deb9u1.debian.tar.xz Checksums-Sha256: c69b4176119c6c0007fd9a03c984c306650c0e4068c5d873112c53e6984e56df 3698 postgresql-9.6_9.6.22-0+deb9u1.dsc 3d32cd101025a0556813397c69feff3df3d63736adb8adeaf365c522f39f2930 19003741 postgresql-9.6_9.6.22.orig.tar.bz2 2ec62b227070c70fadeb47f1ff4309c9fb888960fff182de2cf85057063e24f3 31704 postgresql-9.6_9.6.22-0+deb9u1.debian.tar.xz Files: 72b22e94e6cbc8030360881186aeb550 3698 database optional postgresql-9.6_9.6.22-0+deb9u1.dsc f4aca4bd2f0541fb5612f9c8cabaa242 19003741 database optional postgresql-9.6_9.6.22.orig.tar.bz2 dafa954d7815394262ed9695e3af10af 31704 database optional postgresql-9.6_9.6.22-0+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmCc6DcACgkQTFprqxLS p64oUg/9FLe1/UzrRSIm8LaJXuWns2NNJYPWYbDtOYHyAw52XrgsXBhR6mCdYm5a 9nazCqEBMlXV8YGtLRZZWvS4JW7C+NqYyA7NNX+6r3Ox/9/La4nBpzRPb8PFL9Ue biP/hlBl5QuUWGDUcIBgDqNlf+ZuKawaulsiECgtIcFpY0VPsW5pDirVeL+p9wlA GOAug9TzEu8/h52zleG+SCHXTTdAOBFy+4nsA5+ox69zFGCWWohM8zMlZr8FMP8U B6mhWhtD3EVPHnEUQMkWfCqMFiFjs1Y0VYKodQ0IrFjgD4MdV3//QjHaRiM40eqC qcSdcf2h7oTx8G6kluhiws7gRMXkmhhZsKlVPIsKH6vgBTuoj+Cg1XU++52D99O4 xz3cfUvy4AzDYq08hOtncv83YrwQr3gkWdsoRaWzYS3n4OiFI3K2pLDmifQDI91C VFLPJK2nGJfAPplTQ9U6bE+ioPrhjmo+uVX/BfnHThucGKyRz7d5jcHlzj6r/pHT hJCQqVQx1MDaWyVqwUK5eHXWxbrETffoC3hj21rPub5odajIf577HNZ0bvonMOYB MAsT9TU9hDMRS2Pk4VjXtB8CIat18BSBn7MEcY1JhywXrHNAukED8a6mDT54H4Kq KF3VvJZYQl66zBu30P5mDsY6cyxU0L9AT3W21geJbnqPVCylTQU= =3qBK -----END PGP SIGNATURE-----