Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted postgresql-13 13.13-0+deb11u1 (source) into oldstable-proposed-updates
Date: Sat, 18 Nov 2023 13:17:30 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 14:45:51 +0100
Source: postgresql-13
Architecture: source
Version: 13.13-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-13 (13.13-0+deb11u1) bullseye-security; urgency=medium
 .
   * New upstream version.
 .
     * Fix handling of unknown-type arguments in DISTINCT "any" aggregate
       functions (Tom Lane)
 .
       This error led to a text-type value being interpreted as an unknown-type
       value (that is, a zero-terminated string) at runtime.  This could result
       in disclosure of server memory following the text value.
 .
       The PostgreSQL Project thanks Jingzhou Fu for reporting this problem.
       (CVE-2023-5868)
 .
     * Detect integer overflow while computing new array dimensions
       (Tom Lane)
 .
       When assigning new elements to array subscripts that are outside the
       current array bounds, an undetected integer overflow could occur in edge
       cases.  Memory stomps that are potentially exploitable for arbitrary
       code execution are possible, and so is disclosure of server memory.
 .
       The PostgreSQL Project thanks Pedro Gallegos for reporting this problem.
       (CVE-2023-5869)
 .
     * Prevent the pg_signal_backend role from signalling background workers
       and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
 .
       The documentation says that pg_signal_backend
       cannot issue signals to superuser-owned processes.  It was able to
       signal these background processes, though, because they advertise a
       role OID of zero.  Treat that as indicating superuser ownership.
       The security implications of cancelling one of these process types
       are fairly small so far as the core code goes (we'll just start
       another one), but extensions might add background workers that are
       more vulnerable.
 .
       Also ensure that the is_superuser parameter is set correctly in such
       processes.  No specific security consequences are known for that
       oversight, but it might be significant for some extensions.
 .
       The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar
       Srinivasarao for reporting this problem. (CVE-2023-5870)
 .
     * Fix misbehavior during recursive page split in GiST index build
       (Heikki Linnakangas)
 .
       Fix a case where the location of a page downlink was incorrectly
       tracked, and introduce some logic to allow recovering from such
       situations rather than silently doing the wrong thing.  This error could
       result in incorrect answers from subsequent index searches. It may be
       advisable to reindex all GiST indexes after installing this update.
 .
     * Prevent de-duplication of btree index entries for interval columns
 .
       There are interval values that are distinguishable but compare equal,
       for example 24:00:00 and 1 day.  This breaks assumptions made by btree
       de-duplication, so interval columns need to be excluded from
       de-duplication.  This oversight can cause incorrect results from
       index-only scans.  Moreover, after updating amcheck will report an error
       for almost all such indexes.  Users should reindex any btree indexes on
       interval columns.
 .
   * Rebase debian/patches/libpgport-pkglibdir.
   * Remove failing test 039_end_of_wal.
   * Adjust lintian overrides to work with old+new format.
Checksums-Sha1:
 1474ac7d77c6bc038fe1f281b79e3eb6a5ba1039 3703 postgresql-13_13.13-0+deb11u1.dsc
 4e7eedca825034f1e249935a811fa30ce3b58d97 21563452 postgresql-13_13.13.orig.tar.bz2
 5ac895797126923f3b4b5dfe8e28edbcf49a8ed6 34584 postgresql-13_13.13-0+deb11u1.debian.tar.xz
Checksums-Sha256:
 cc00a8e979f48eedb7350e20067037decead5aec088115c36c5447a106925297 3703 postgresql-13_13.13-0+deb11u1.dsc
 8af69c2599047a2ad246567d68ec4131aef116954d8c3e469e9789080b37a474 21563452 postgresql-13_13.13.orig.tar.bz2
 e9970f831644130f24c62e8e9d7cf34cae2dcde633ea32fa442e2164e1205de8 34584 postgresql-13_13.13-0+deb11u1.debian.tar.xz
Files:
 60dacccbc0d44cfc52fd787e16bd5144 3703 database optional postgresql-13_13.13-0+deb11u1.dsc
 d0c2efc0a6996421129c43e5b8baa075 21563452 database optional postgresql-13_13.13.orig.tar.bz2
 b844518af6bd5ea1e6edde3595b72449 34584 database optional postgresql-13_13.13-0+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmVPiq0ACgkQTFprqxLS
p64crxAAjQmmq1UxXpBCHPCCWc5bkz79GbDVEA8gsqT4PEorNFPYuFbbfDtGYhLJ
q8ij0YVl8HJzytzyv5WCwHS6PT94p24kOBssZE6rKuHYVixhhp5raa6k7UOXk6pl
KL0jNNqzghdAwcDBozWMDfupd3wpfZya5FrWxoG3CcJpziY7ZyKBmCA09TCb1QWS
Z73fP5/GkzFc7ZK+xTb355iGdanMcWcEBb9eIVNlujm6fJDPP7RgILZCcWlq8A4k
npCRG3prVjVlyWNMlRLLieVEs+GxqkLFXCgnlgcv4wVDdtCsDwsMBJqbercBPHcO
LMgZWp+2vNZ4JsPOiC0Sau+nEDoXVzVXTa60aPj+FmV8Fmma2hVOHvHuBsLVI54W
Agg+m2x/NC/ruafevqoTdFBiPFGmZa7ir5RdKCGRrtrvV+i3jKBw5oA5XuaF7c6i
3P2a29c0jj6SMpM0KpsSYllKCED2n90FLdUF+j0QHiu2PKp6bwpGaXttpr2qbxKd
G5RZXkF3WJtftvlk2yZ0a5r10Bb4+j/auTn4nu+qMcKHSYluuoC+X7lYjqx0VAk+
rwDkGS1XbsX7YBGC4njoXmRXYB4WEYGAAsEQKksm/l9XHPmy7ZrHamViAwIJHtVo
TL9Wepk0fxeMwTij4TvWj7nghEaufMy50G215D1ORSd+O3SMpME=
=1+36
-----END PGP SIGNATURE-----
News for package postgresql-13
