Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To:
Subject: Accepted postgresql-13 13.5-0+deb11u1 (source) into stable-security->embargoed, stable-security
Date: Thu, 11 Nov 2021 21:41:22 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 17 Aug 2021 14:04:37 +0200
Source: postgresql-13
Architecture: source
Version: 13.5-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-13 (13.5-0+deb11u1) bullseye-security; urgency=medium
 .
   * New upstream security release.
 .
     + Make the server and libpq reject extraneous data after an SSL or GSS
       encryption handshake (Tom Lane)
 .
       A man-in-the-middle with the ability to inject data into the TCP
       connection could stuff some cleartext data into the start of a
       supposedly encryption-protected database session.
 .
       This could be abused to send faked SQL commands to the server, although
       that would only work if the server did not demand any authentication
       data.  (However, a server relying on SSL certificate authentication
       might well not do so.) (CVE-2021-23214)
 .
       This could probably be abused to inject faked responses to the client's
       first few queries, although other details of libpq's behavior make that
       harder than it sounds.  A different line of attack is to exfiltrate the
       client's password, or other sensitive data that might be sent early in
       the session.  That has been shown to be possible with a server
       vulnerable to CVE-2021-23214. (CVE-2021-23222)
 .
       The PostgreSQL Project thanks Jacob Champion for reporting these
       problems.
 .
   * Flatten debian/*.lintian-overrides symlinks to fix salsa CI.
Checksums-Sha1:
 eb3f1cc8538c3febc19bfd29c3c085861ec9e151 3696 postgresql-13_13.5-0+deb11u1.dsc
 9321e2b01d1ffb15adae06945cb2c5f9dd671bc9 21186674 postgresql-13_13.5.orig.tar.bz2
 6e44ab8a18cef94a5e6aa0b97db74e44006e518d 28796 postgresql-13_13.5-0+deb11u1.debian.tar.xz
Checksums-Sha256:
 70481ab99d82417bef296378c69720657347c03b188d276e9b82f6587936d3be 3696 postgresql-13_13.5-0+deb11u1.dsc
 9b81067a55edbaabc418aacef457dd8477642827499560b00615a6ea6c13f6b3 21186674 postgresql-13_13.5.orig.tar.bz2
 36f225fda1f0759d8892d42a99acf565e1693ad2572714aad91b807f03cb4c95 28796 postgresql-13_13.5-0+deb11u1.debian.tar.xz
Files:
 4b2ddbb813ac78dfcad5d171ca0a680e 3696 database optional postgresql-13_13.5-0+deb11u1.dsc
 cf9814bdf22afcddb993b43a7be17da6 21186674 database optional postgresql-13_13.5.orig.tar.bz2
 59bf74dbfcba21ba6ded3288d7764592 28796 database optional postgresql-13_13.5-0+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGNA4kACgkQTFprqxLS
p64VcRAApsf/3R54p3hEp3O09WI6mCvYsrzxQjnqYegi4xmJKyyDi8NzY/5Fevjv
zJX1q2b8p0TrRR1g52c37A3HieoidWXba9UGwNzBRk9H091LEUgw2QmLd0Qq2NXN
lMJtxM++TlteP+FGqvjMwSsHgQYO4DwaK2+vqfCaL/CjSkx0SMy4Z9sW5oiacrvQ
jp56CAgqU/P9tXQau64F6LtJBf+ffgZRI5xfs6n7IWi7bbr+Eqxr2KgeGl+rGsCZ
BMx6rIvjBNKYbIs6jLnEElWIzQcR4CdSX4vPScn/vigX5upP2gXyPaYte9E5KrGr
6m5oLXso8c97QJjG3aACQvFrcHIHvO9LOljKAamwVtTpTOeJsupnWwEkTehC4TCW
UdrvtEYKHj+mJYfthpviwy6il0zh9VFb2cKiypN+F4eL1OxH8OKxgwlF0oJu1qyc
6tZELL21fLqMN/OaizrA0JSeKGRcTUwbzJh1ctA0YVHIOBvJFMj3UTjDS5mp6r45
8U0/j++SZHv2lj+Q+fl48X2J7IXZykuAYjxSScdBD21MBbfgcZq1qZzBD/n8xu/l
f8wHLv/TJuYRSN05zsfp6CMGgoMo/LG4PEh2MvKbmnfLwJfKG2SwWTwS137eGwpS
HsLGuf563LUnAWSJp+mSvorSdOYlzE9cP3zRILWWcVnGlpXH8Gw=
=OHXk
-----END PGP SIGNATURE-----
News for package postgresql-13
