Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted postgresql-11 11.14-0+deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Date: Fri, 19 Nov 2021 12:17:24 +0000
Signed by: Christoph Berg <myon@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 11 Nov 2021 12:53:26 +0100
Source: postgresql-11
Architecture: source
Version: 11.14-0+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-11 (11.14-0+deb10u1) buster-security; urgency=medium
 .
   * New upstream security release.
 .
     + Make the server and libpq reject extraneous data after an SSL or GSS
       encryption handshake (Tom Lane)
 .
       A man-in-the-middle with the ability to inject data into the TCP
       connection could stuff some cleartext data into the start of a
       supposedly encryption-protected database session.
 .
       This could be abused to send faked SQL commands to the server, although
       that would only work if the server did not demand any authentication
       data.  (However, a server relying on SSL certificate authentication
       might well not do so.) (CVE-2021-23214)
 .
       This could probably be abused to inject faked responses to the client's
       first few queries, although other details of libpq's behavior make that
       harder than it sounds.  A different line of attack is to exfiltrate the
       client's password, or other sensitive data that might be sent early in
       the session.  That has been shown to be possible with a server
       vulnerable to CVE-2021-23214. (CVE-2021-23222)
 .
       The PostgreSQL Project thanks Jacob Champion for reporting these
       problems.
Checksums-Sha1:
 a9e533415d046807fc75263d48d237d52506b153 3745 postgresql-11_11.14-0+deb10u1.dsc
 18c8ef5ca8314ce18f1bd10b6cd6f3e4c7099e64 20172910 postgresql-11_11.14.orig.tar.bz2
 7ab89fc52a703c73ea2f6ed18c231a3e4a7c2a9b 28084 postgresql-11_11.14-0+deb10u1.debian.tar.xz
Checksums-Sha256:
 1315b0b02f2788ecd3aaf0fc581f05316d4fd72c17268453e2d7066082c1584a 3745 postgresql-11_11.14-0+deb10u1.dsc
 965c7f4be96fb64f9581852c58c4f05c3812d4ad823c0f3e2bdfe777c162f999 20172910 postgresql-11_11.14.orig.tar.bz2
 f2c58526fdfad5cfc96e14bd9df4a24dc3e6335d5ec928ceaa5696e038439d28 28084 postgresql-11_11.14-0+deb10u1.debian.tar.xz
Files:
 2fd47da3ba89b8c4902b36e30bdb3c8c 3745 database optional postgresql-11_11.14-0+deb10u1.dsc
 53e02a579932a3f1c38f79685ecd36be 20172910 database optional postgresql-11_11.14.orig.tar.bz2
 c26e76d3750bc4c95b69dacc21a6baca 28084 database optional postgresql-11_11.14-0+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGNBU8ACgkQTFprqxLS
p67+rRAAgf+pdtsnmL407QW9d4PsJezaei55UoOL1rnQakandpiUHc17rdVw5Flc
KjN3IqHsjBXg7nHppBPzO/ZJq8M2t/US4kAa4yWfNEANIT5aWq5x3JFck1Z+UEn5
5jOfoHNfveOHaYBNSePmzRGvR6WlFRBU2CCoivovOLS1Wy2l2cW+CRXvnqemDLMo
BA37Fp0a2wrRrvP/Y21HojA6hyuPdlHBTn1e/26sIBeo7xZ59eb09A9lNJNQ0Jty
2uoX+LnSdsJV+9R9jl3U/AcVO4Go+ZIj39ts6Dghlkr5sAaG9HyQqnM5Dwh0PIyx
hsOCSiVHo7iAHlc4P/ew2NiyZUIkUfaWaj9YDTXjackqGa8StlxsCU/Y8nP77eCs
Iysn4lEFXX2C/BKKjbFJOPcm8qk72Wr0jIRzG9ExYqS1bkPHKHjOjgui+9WZ4zti
max1g/sJJWaY48AUM6838q/so7ilu5B18clzHUobYOxmd8OHZ2daBRIPcH6cS+vI
O+b2UL8g9SSNv+Mb0WJTnL1VjWPkuG4WlGG04CvmchuZ2FLglBMQN0/NmkX9iTy1
RvhgUC4XyTwEX5Go8tCNMXfTRvxsYtD1v7NUISFvXw165k6WRerlJoClBgusN4sB
/B5VW2Tq9+MDjcqEVMWzeHbt3poGfPoKlrwsdZkJZRuigksKPmw=
=SmpG
-----END PGP SIGNATURE-----

News for package postgresql-11