Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted postgresql-16 16.1-1 (source) into unstable
Date: Fri, 10 Nov 2023 16:51:01 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 14:18:31 +0100
Source: postgresql-16
Architecture: source
Version: 16.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-16 (16.1-1) unstable; urgency=medium
 .
   * New upstream version.
 .
     * Fix handling of unknown-type arguments in DISTINCT "any" aggregate
       functions (Tom Lane)
 .
       This error led to a text-type value being interpreted as an unknown-type
       value (that is, a zero-terminated string) at runtime.  This could result
       in disclosure of server memory following the text value.
 .
       The PostgreSQL Project thanks Jingzhou Fu for reporting this problem.
       (CVE-2023-5868)
 .
     * Detect integer overflow while computing new array dimensions
       (Tom Lane)
 .
       When assigning new elements to array subscripts that are outside the
       current array bounds, an undetected integer overflow could occur in edge
       cases.  Memory stomps that are potentially exploitable for arbitrary
       code execution are possible, and so is disclosure of server memory.
 .
       The PostgreSQL Project thanks Pedro Gallegos for reporting this problem.
       (CVE-2023-5869)
 .
     * Prevent the pg_signal_backend role from signalling background workers
       and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
 .
       The documentation says that pg_signal_backend
       cannot issue signals to superuser-owned processes.  It was able to
       signal these background processes, though, because they advertise a
       role OID of zero.  Treat that as indicating superuser ownership.
       The security implications of cancelling one of these process types
       are fairly small so far as the core code goes (we'll just start
       another one), but extensions might add background workers that are
       more vulnerable.
 .
       Also ensure that the is_superuser parameter is set correctly in such
       processes.  No specific security consequences are known for that
       oversight, but it might be significant for some extensions.
 .
       The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar
       Srinivasarao for reporting this problem. (CVE-2023-5870)
 .
     * Fix misbehavior during recursive page split in GiST index build
       (Heikki Linnakangas)
 .
       Fix a case where the location of a page downlink was incorrectly
       tracked, and introduce some logic to allow recovering from such
       situations rather than silently doing the wrong thing.  This error could
       result in incorrect answers from subsequent index searches. It may be
       advisable to reindex all GiST indexes after installing this update.
 .
     * Prevent de-duplication of btree index entries for interval columns
 .
       There are interval values that are distinguishable but compare equal,
       for example 24:00:00 and 1 day.  This breaks assumptions made by btree
       de-duplication, so interval columns need to be excluded from
       de-duplication.  This oversight can cause incorrect results from
       index-only scans.  Moreover, after updating amcheck will report an error
       for almost all such indexes.  Users should reindex any btree indexes on
       interval columns.
 .
   * Use default LLVM version; package is now compatible with LLVM 16.
   * Rebase debian/patches/libpgport-pkglibdir.
Checksums-Sha1:
 c1aa62591e1dc5914c17f49311cc90b2bbbe9ff0 4187 postgresql-16_16.1-1.dsc
 7b335f3dbb9f566fa021f255650178b7c9642df2 24605482 postgresql-16_16.1.orig.tar.bz2
 c7cce7fde3427a62be1421055edbc2bb12d28830 30640 postgresql-16_16.1-1.debian.tar.xz
Checksums-Sha256:
 ca8f7b31e77c2ff09c6ded2c0964fcfd5a61a30b7bd865e9b6debd9c754910cf 4187 postgresql-16_16.1-1.dsc
 ce3c4d85d19b0121fe0d3f8ef1fa601f71989e86f8a66f7dc3ad546dd5564fec 24605482 postgresql-16_16.1.orig.tar.bz2
 86eb655649921d52b6027e7fa40403ec44e743647962158df5a8c4ebf4ff5294 30640 postgresql-16_16.1-1.debian.tar.xz
Files:
 f702e4c219a089f866deb7663aa53fbc 4187 database optional postgresql-16_16.1-1.dsc
 9cbfb9076ed06384471802b850698a6d 24605482 database optional postgresql-16_16.1.orig.tar.bz2
 58e7765249c5e263f7adda7a2ca8dd5e 30640 database optional postgresql-16_16.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmVOXIYACgkQTFprqxLS
p64wnhAAszaUo1bvl16rW4JKFxD0QLvh4dix13X6HCUXOODsVcjab7rHIP1wlL+l
DFhCgK/6VeyWR6ajalYnovA4KMCPKdX1OiMjcGQPy5VIKKLnaQLoAtkXWGCf7jr3
WQfICi0IVYeDFqsoqBqKGXM/MA09J8jQBijERuqejS0SrHNq8d0Ch+C87MFvHHsg
GbByLGJUSqQCTlZWds/hIQANpYm8MVRwDd8/4PyoCtMX9y/8/PVBI5siIAgAIvk8
hKUyZkGEZkO+Lmt9TFCgskhSroDkDLuaANohlvGhKq5Gl567FUpR3FYLNWmNvByg
0k60gyf/mP7Mo8xF4HCoThB9ya3TtnuYuUvsL/oUgtl16TmQRB2/q872a1ysiJne
29sSV6wWuCLc7RjzOC/8rBUcoqhH+hgl+CzhP87QP8w+mX+84VUEinsehffsptup
PLNZqMMF2IQ5MGL6BDAbO4B7IcrVRLUkk/9z11g9ya2RrLrq+LNYAISqcmhr77mA
VZPm+HWIZGIoGv6Dyox5GdnapwipuLUwzplQDlXQY+vnuR3CFudvNaV8JRKNFJ94
NFN9fiFACI3iS1jJts490gpJKKKs6JUu7OJEjeq3BM9ht4pbwkU/u9IDvZLEl56j
AEVfAQ7Klw5tujFXFqEaJYtloO7Ut696PiJIcwN1F9yh0xO1FHY=
=J+JV
-----END PGP SIGNATURE-----
News for package postgresql-16
