-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 12 Nov 2021 08:56:48 +0100 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.24-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.24-0+deb9u1) stretch-security; urgency=medium . * New upstream release. . + Make the server and libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane) . A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. . This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.) (CVE-2021-23214) . This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214. (CVE-2021-23222) . The PostgreSQL Project thanks Jacob Champion for reporting these problems. Checksums-Sha1: b77b0b454e43be85c1d8854523992ecef0301ebe 3698 postgresql-9.6_9.6.24-0+deb9u1.dsc 4a329b3bc5e88dccd37cf75955b6f7d5786890af 19047518 postgresql-9.6_9.6.24.orig.tar.bz2 8b92f1c5ff1ad828e444f514aedd106e186d4ec9 32204 postgresql-9.6_9.6.24-0+deb9u1.debian.tar.xz Checksums-Sha256: 5988758af14615a894d06843538e78aac2ce5c0727a7007de3b6c57e856f68df 3698 postgresql-9.6_9.6.24-0+deb9u1.dsc aeb7a196be3ebed1a7476ef565f39722187c108dd47da7489be9c4fcae982ace 19047518 postgresql-9.6_9.6.24.orig.tar.bz2 c2952906f297b67d401cd782a821b64af139941801b77abcf1f7c3fce5876977 32204 postgresql-9.6_9.6.24-0+deb9u1.debian.tar.xz Files: 900e4fa1481fe205321a530bd979b59f 3698 database optional postgresql-9.6_9.6.24-0+deb9u1.dsc 132c726216a0e4b8540fcf974d25dc06 19047518 database optional postgresql-9.6_9.6.24.orig.tar.bz2 d5bb8dbe15c717e6a45ac3482cf15031 32204 database optional postgresql-9.6_9.6.24-0+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGOHwYACgkQTFprqxLS p67s7Q/+ImP+kiE4RyP/zeNs3Cp1U0pMRzQQUm/tz4DmLhlRYakD1fv344/IROc3 lWsS6sKJ99V8Rgf/P70FS0gJpB5+MEdlitsVtRAdd7/Wk2Bq7Gqd48GnaiMpQaSG 617koEykmhw4KFSJf8iXXDn07eQrqanZjW08SFpydGotQtAfCl2O8bEsqChGAlTr l7Y3WEvxnJvTlpkVt0My3xJ/kde+LAeOIVXkxFOmhE3NfijIRXLJgMn1kDDw66Du s7s5CsKW3OsB0JtB12XJ7aWAB5+btrNx/mFbaaTm/mFsK7haKzhK/APCjd+6bp7F SFKoIbRhMdUajmoHpmq3cHL9d1WTU1Q5UnffDpN5en12EfWis4eeH+IBd38bZqJl 2rSS9UeNDGguxif3aCtI68Bg2E9TxHhhb6hBq72cWpIZpAcUM74S/IvmMfKHA8nt v/n3Y4WvA7xzMJBlzoCJwwpVey0P+hcHWWQXYBz4kLIDD/imCWqPbuJcSbnG1EJd h+NtBItaFu/wXw2qk1ZZIx9f3g7K9Vg2hSHmARjNcyYbxMxEdwbpRQGZI8CfUQVd TvIuUnnXQQMU41ebMb6e8H2RHHi+Ala7JWy56Jd/dpBYliQj++i/0Evr1gM/GY6+ ZhNCs9rWUdEcMCqRulFf3hkWAYSm4It/vg3en81MbLw40fqgGEg= =7n5A -----END PGP SIGNATURE-----