-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 07 Feb 2023 15:28:39 +0100 Source: postgresql-13 Architecture: source Version: 13.10-0+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-13 (13.10-0+deb11u1) bullseye; urgency=medium . * New upstream version. . + libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion) . A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862) Checksums-Sha1: 0eee67c09cba080cca441fd4fade36a1a025a7f5 3703 postgresql-13_13.10-0+deb11u1.dsc 429963ec9858d8f4eab6bb2c5bffd0b52ea94eb6 21457594 postgresql-13_13.10.orig.tar.bz2 f94ea86f84a06ddcba1d413960804b7565fa099a 29704 postgresql-13_13.10-0+deb11u1.debian.tar.xz Checksums-Sha256: 2b23229ab9a89c2df6c2e6301177c7b09106386e744d92dd301a8c445093b46d 3703 postgresql-13_13.10-0+deb11u1.dsc 5bbcf5a56d85c44f3a8b058fb46862ff49cbc91834d07e295d02e6de3c216df2 21457594 postgresql-13_13.10.orig.tar.bz2 360305293cf52bb73973596aba091a00de6da371713d87bcf5f0f79c3966f670 29704 postgresql-13_13.10-0+deb11u1.debian.tar.xz Files: c6ce7d488909522195fe22b82613c997 3703 database optional postgresql-13_13.10-0+deb11u1.dsc 72ef0eb5f9fdc5a837c14cd19c5007a0 21457594 database optional postgresql-13_13.10.orig.tar.bz2 d381a86e421b831b3323a92cb3984534 29704 database optional postgresql-13_13.10-0+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmPmAZYACgkQTFprqxLS p64AxA/+Io/lpWr2w73y04Rw4Xe8n6IAqIQY/jZgx6bBXIcMUSUVRg7tPRs8eatC X7iXYR1Qo/Jjf2/7rKyZV3HoNEmjKMiZRbybMwUuHxLNvuAGW/3RCCFyKp+FtqaV aRMJU3cLF2ArVSIpxJWEh1BP26D6zVUKNwbJGj54AW6KpO82FMDaHmz9cgV1qKVT JRxe3qIDK7yEjDeD6bY/PFnB0xG4cThRYvfWCId3btTejGMAF6knYfPqjuHs2nr7 zJ1ueSUo1q9DIS1S44dQUke10Z1rCPYNXlU8Gog2TC28fKW5g+XejZlr22nxFue5 BTFFMaAWk4XLrYUUXWekGzlvWZQUnZgNtfpHMO8gaOXns11whHTWJ8AVnYh7Bndc ldMjqZaXuXrKP/Tqhj4lLoK9+bYnuV7KMtR5f2/leB0QzMsJ2EkXf1YcrEGJYDEb IC3RLPkUDTKXEY0SH40DYPK2DHwo9hl1yzKpkwbALhqtW5SMpOqEsAu11MRyDTPR D3Eg4OuKwCaN5gXlattvM/po2w2L79SHwv+k2BJ0gcgGaASJz4OsYYut+RxZaQaa l3ZZ6ZTO7qiFiM6wkl9pGKqlA8bt4JN/GmI4PuXkH2sqm5TpRyJ5I8CL3XuM2eIG 835ayFvcqLZnlkZuTb5oolSK1WvhEEeDozf2AFZIdJhlSHz0vHw= =NBWx -----END PGP SIGNATURE-----