Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted postgresql-14 14.1-1 (source) into unstable
Date: Thu, 11 Nov 2021 11:34:34 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 05 Nov 2021 12:05:46 +0100
Source: postgresql-14
Architecture: source
Version: 14.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-14 (14.1-1) unstable; urgency=medium
 .
   * New upstream release.
 .
     + Make the server and libpq reject extraneous data after an SSL or GSS
       encryption handshake (Tom Lane)
 .
       A man-in-the-middle with the ability to inject data into the TCP
       connection could stuff some cleartext data into the start of a
       supposedly encryption-protected database session.
 .
       This could be abused to send faked SQL commands to the server, although
       that would only work if the server did not demand any authentication
       data.  (However, a server relying on SSL certificate authentication
       might well not do so.) (CVE-2021-23214)
 .
       This could probably be abused to inject faked responses to the client's
       first few queries, although other details of libpq's behavior make that
       harder than it sounds.  A different line of attack is to exfiltrate the
       client's password, or other sensitive data that might be sent early in
       the session.  That has been shown to be possible with a server
       vulnerable to CVE-2021-23214. (CVE-2021-23222)
 .
       The PostgreSQL Project thanks Jacob Champion for reporting these
       problems.
 .
   * libpq-dev: Depend on libssl-dev, `pkg-config --exists libpq` requires it.
Checksums-Sha1:
 c7e64551d1b4a2d4e7754187efb37220a83c96b6 3684 postgresql-14_14.1-1.dsc
 aacdb4fe70ed6de1b2f3ccbbc242e365c8da989b 21887101 postgresql-14_14.1.orig.tar.bz2
 e16d55099deda1fc94782a587fe100474adc32da 25904 postgresql-14_14.1-1.debian.tar.xz
Checksums-Sha256:
 d6c1167bbd31d4c02ef0c864d1d302dcec8e1c18fa876c2d4f0476c342fd1439 3684 postgresql-14_14.1-1.dsc
 4d3c101ea7ae38982f06bdc73758b53727fb6402ecd9382006fa5ecc7c2ca41f 21887101 postgresql-14_14.1.orig.tar.bz2
 5e40b8e428e50a407e0797964fe305921abbe26f99c8691b4b238b38ff0211f3 25904 postgresql-14_14.1-1.debian.tar.xz
Files:
 55dc3c408ae9c670cc63ea28d297dc57 3684 database optional postgresql-14_14.1-1.dsc
 e301da0fdef1243f576818850d7cc165 21887101 database optional postgresql-14_14.1.orig.tar.bz2
 dc467997726cc62537b659c95e23c813 25904 database optional postgresql-14_14.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGM+5IACgkQTFprqxLS
p66cehAAqOypZoImKcdnce+0LbmG7HRU1Pu3gyDR9QP2MOvRVuAUsWLy3GB5THBP
4PkbB1fcaTUwEXpWcMREGTzskPRiNqjx98bAlZQiE+7tYnnqA9cT39Rv49Pm7LTV
cUjJoMEYgvn++GPyhLYUFARzYMrzq2BZBA+5dO9cSN9Owvi1XubtyNpDYOA+K5bk
U/QwbCOHI6Xc8pYwMad8QU+jt6+J+ugADszx3FGRykknRAsUyARbH/sHHEejZjMT
0OCgfhsPfXW1zjHouHhFm5ug3Uoku6kj+6nUpJ0VTxutE48Qv4Fl8oFdZembpR1f
6kiPFonR5Lq1bz6lcboodtf7x9kHXUyxgXeYjDolFZ26h197XJt4drFjUmdQNUTV
hAIfW2yOt85f0T5Ed3eAnYlCFjZCalp2PuJOb+3FfdWOKthRrt1IRHuD7CfxyRBS
14SOtFbmFuthPp83e72ZrLfZr36wjArF5KzQc7qR6mSoAityAjEmK0qo9uqNYgQ7
r09KDiv/ogU9ZqK1e2Hvd2uiYDe8KdEzxcdkyJaN7wQbK09d5XE5laKxwEvgxFUy
FcNNupEA0+Z4A0qT/bG2HHyLUdjuCbgUK0JwBR4NFb59m5W9u2m53lR1QpZ8Z5Ms
h6mo5uGOoCc9wrzbynH6BTQH+dAF8cqoo3hNpanBRseNjCP7dmM=
=Nf/2
-----END PGP SIGNATURE-----
News for package postgresql-14
