Debian Package Tracker

From: Christoph Berg <christoph.berg@credativ.de>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted postgresql-9.3 9.3.3-1 (source amd64 all)
Date: Thu, 20 Feb 2014 16:19:12 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 19 Feb 2014 10:15:39 +0100
Source: postgresql-9.3
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.3 postgresql-9.3-dbg postgresql-client-9.3 postgresql-server-dev-9.3 postgresql-doc-9.3 postgresql-contrib-9.3 postgresql-plperl-9.3 postgresql-plpython-9.3 postgresql-plpython3-9.3 postgresql-pltcl-9.3
Architecture: source amd64 all
Version: 9.3.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.berg@credativ.de>
Description: 
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.3
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-9.3 - object-relational SQL database, version 9.3 server
 postgresql-9.3-dbg - debug symbols for postgresql-9.3
 postgresql-client-9.3 - front-end programs for PostgreSQL 9.3
 postgresql-contrib-9.3 - additional facilities for PostgreSQL
 postgresql-doc-9.3 - documentation for the PostgreSQL database management system
 postgresql-plperl-9.3 - PL/Perl procedural language for PostgreSQL 9.3
 postgresql-plpython-9.3 - PL/Python procedural language for PostgreSQL 9.3
 postgresql-plpython3-9.3 - PL/Python 3 procedural language for PostgreSQL 9.3
 postgresql-pltcl-9.3 - PL/Tcl procedural language for PostgreSQL 9.3
 postgresql-server-dev-9.3 - development files for PostgreSQL 9.3 server-side programming
Closes: 646245
Changes: 
 postgresql-9.3 (9.3.3-1) unstable; urgency=medium
 .
   [ Christoph Berg ]
   * New upstream security/bugfix release.
 .
     + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
 .
       Granting a role without ADMIN OPTION is supposed to prevent the grantee
       from adding or removing members from the granted role, but this
       restriction was easily bypassed by doing SET ROLE first. The security
       impact is mostly that a role member can revoke the access of others,
       contrary to the wishes of his grantor. Unapproved role member additions
       are a lesser concern, since an uncooperative role member could provide
       most of his rights to others anyway by creating views or SECURITY
       DEFINER functions. (CVE-2014-0060)
 .
     + Prevent privilege escalation via manual calls to PL validator functions
       (Andres Freund)
 .
       The primary role of PL validator functions is to be called implicitly
       during CREATE FUNCTION, but they are also normal SQL functions that a
       user can call explicitly. Calling a validator on a function actually
       written in some other language was not checked for and could be
       exploited for privilege-escalation purposes. The fix involves adding a
       call to a privilege-checking function in each validator function.
       Non-core procedural languages will also need to make this change to
       their own validator functions, if any. (CVE-2014-0061)
 .
     + Avoid multiple name lookups during table and index DDL (Robert Haas,
       Andres Freund)
 .
       If the name lookups come to different conclusions due to concurrent
       activity, we might perform some parts of the DDL on a different table
       than other parts. At least in the case of CREATE INDEX, this can be used
       to cause the permissions checks to be performed against a different
       table than the index creation, allowing for a privilege escalation
       attack. (CVE-2014-0062)
 .
     + Prevent buffer overrun with long datetime strings (Noah Misch)
 .
       The MAXDATELEN constant was too small for the longest possible value of
       type interval, allowing a buffer overrun in interval_out(). Although the
       datetime input functions were more careful about avoiding buffer
       overrun, the limit was short enough to cause them to reject some valid
       inputs, such as input containing a very long timezone name. The ecpg
       library contained these vulnerabilities along with some of its own.
       (CVE-2014-0063)
 .
     + Prevent buffer overrun due to integer overflow in size calculations
       (Noah Misch, Heikki Linnakangas)
 .
       Several functions, mostly type input functions, calculated an allocation
       size without checking for overflow. If overflow did occur, a too-small
       buffer would be allocated and then written past. (CVE-2014-0064)
 .
     + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
 .
       Use strlcpy() and related functions to provide a clear guarantee that
       fixed-size buffers are not overrun. Unlike the preceding items, it is
       unclear whether these cases really represent live issues, since in most
       cases there appear to be previous constraints on the size of the input
       string. Nonetheless it seems prudent to silence all Coverity warnings of
       this type. (CVE-2014-0065)
 .
     + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)
 .
       There are relatively few scenarios in which crypt() could return NULL,
       but contrib/chkpass would crash if it did. One practical case in which
       this could be an issue is if libc is configured to refuse to execute
       unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
 .
     + Document risks of make check in the regression testing instructions
       (Noah Misch, Tom Lane)
 .
       Since the temporary server started by make check uses "trust"
       authentication, another user on the same machine could connect to it as
       database superuser, and then potentially exploit the privileges of the
       operating-system user who started the tests. A future release will
       probably incorporate changes in the testing procedure to prevent this
       risk, but some public discussion is needed first. So for the moment,
       just warn people against using make check when there are untrusted users
       on the same machine. (CVE-2014-0067)
 .
     + Rework tuple freezing protocol (Álvaro Herrera, Andres Freund)
 .
       The logic for tuple freezing was unable to handle some cases involving
       freezing of multixact IDs, with the practical effect that shared
       row-level locks might be forgotten once old enough.
 .
       Fixing this required changing the WAL record format for tuple freezing.
       While this is no issue for standalone servers, when using replication it
       means that standby servers must be upgraded to 9.3.3 or later before
       their masters are. An older standby will be unable to interpret freeze
       records generated by a newer master, and will fail with a PANIC message.
       (In such a case, upgrading the standby should be sufficient to let it
       resume execution.)
 .
   * The upstream tarballs no longer contain a plain HISTORY file, but point to
     the html documentation. Note the location of these files in our
     changelog.gz file.
   * Teach configure to find tclsh8.6 where tclsh is not available.
 .
   [ Martin Pitt ]
   * Build with LINUX_OOM_SCORE_ADJ=0 instead of the older LINUX_OOM_ADJ=0. All
     relevant distro releases (>= squeeze/lucid) use kernels which support
     /proc/pid/oom_score_adj, so avoid the dmesg warnings. (Closes: #646245,
     LP: #991725)
   * Bump Standards-Version to 3.9.5 (no changes necessary).
   * Build with tcl8.6 where available (>= Jessie, >= trusty).
Checksums-Sha1: 
 97d82caabac548630f212ad96df026b3784e62af 3317 postgresql-9.3_9.3.3-1.dsc
 66d07c89f6a00468d27d3bafb7fc0eb040355a99 16665845 postgresql-9.3_9.3.3.orig.tar.bz2
 390eb4767f8a2841dae610996db1457ef1e15958 27304 postgresql-9.3_9.3.3-1.debian.tar.xz
 91066397792a3611453c46e151962f3a896bb9bb 189778 libpq-dev_9.3.3-1_amd64.deb
 0a2b7264df0995b2a1a8a22204f665ac57e621e6 122844 libpq5_9.3.3-1_amd64.deb
 de3ca56c2a1c2a38d6e60c0399a4e143a7309180 79880 libecpg6_9.3.3-1_amd64.deb
 23fc5fa3dd3e04b191c105401f92a104295a5150 216232 libecpg-dev_9.3.3-1_amd64.deb
 9ae3b6337602c6f72ed17c14e5dd00875ec27d42 17506 libecpg-compat3_9.3.3-1_amd64.deb
 9d8cdc1d558e3f1909a4e166a3ff7c9220f14f9f 39216 libpgtypes3_9.3.3-1_amd64.deb
 e8cec764f9d191279da38562bf37d6640de433d3 3443912 postgresql-9.3_9.3.3-1_amd64.deb
 491cacb1674d264a35151b678f0b98a589116862 7098816 postgresql-9.3-dbg_9.3.3-1_amd64.deb
 a4f93b9ed6848e948e53dc3b8ea961da9b1939f8 1030076 postgresql-client-9.3_9.3.3-1_amd64.deb
 bf9d1b7ac028785e232b8a6eb9e82ef7282278c7 603518 postgresql-server-dev-9.3_9.3.3-1_amd64.deb
 5c9604c7862b0b2bbfb90db998b28662f3d79fe1 1740326 postgresql-doc-9.3_9.3.3-1_all.deb
 38a59cd6ea34e5839c94929e4eb9f54557436408 402598 postgresql-contrib-9.3_9.3.3-1_amd64.deb
 1e12d71f4584ff0fe0f5b3e599fa459882fed269 56306 postgresql-plperl-9.3_9.3.3-1_amd64.deb
 7004f230c83306e1eec7ae0e326443fbddc5928f 45482 postgresql-plpython-9.3_9.3.3-1_amd64.deb
 cbc2c618216f3cbea4eec59ab5931fa42f01ac87 45368 postgresql-plpython3-9.3_9.3.3-1_amd64.deb
 da2da2ccc1ae268363f4c9288b9c13019cd18f36 31698 postgresql-pltcl-9.3_9.3.3-1_amd64.deb
Checksums-Sha256: 
 997b1ec43e470705ebc11663362ca78916a21d57d3c794f8e543d17bea5901ff 3317 postgresql-9.3_9.3.3-1.dsc
 e925d8abe7157bd8bece6b7c0dd0c343d87a2b4336f85f4681ce596af99c3879 16665845 postgresql-9.3_9.3.3.orig.tar.bz2
 20ea4657355dc2f4268718fbced1b14ca7a1bdb81a5676e90f10fb8a2d4dd018 27304 postgresql-9.3_9.3.3-1.debian.tar.xz
 98e8aa76edd97c1503ac0f2df250a71cdaac714470b87083260d3128fbbb4aa4 189778 libpq-dev_9.3.3-1_amd64.deb
 8ae5fd190c16017c04f51bf7c9d5d20b97e184bd7fa9700ff8c05c327ba55dd9 122844 libpq5_9.3.3-1_amd64.deb
 ab1588d5b74f43c2a633f1811c71cacfae48ef3092ef21d2eafe49ff8b55e1d7 79880 libecpg6_9.3.3-1_amd64.deb
 388705a8ed67a2c49aebbb8a2b2ac4e0be8a636ad3319c6ab69e3a18e69656f9 216232 libecpg-dev_9.3.3-1_amd64.deb
 0dcec153629b7fb07eeafc847af1e8ff155f14518bf0e2ae78e80d4cf818023a 17506 libecpg-compat3_9.3.3-1_amd64.deb
 bdb9c93315233e5f2801d6e3aa26871874cac625930510ad7474376ff1429f11 39216 libpgtypes3_9.3.3-1_amd64.deb
 b3a57496ca3c53bcb1f893dc06438be9e98c66213115cc3854355b7b36e414d5 3443912 postgresql-9.3_9.3.3-1_amd64.deb
 a21684f01726a33ff877a865272012b44229fa3cbc48f98229fb955dcd1519e3 7098816 postgresql-9.3-dbg_9.3.3-1_amd64.deb
 118b6c0ea981cbd1a97838a5ae67aa7a71650dd33683075e1b8fa8efcdb33b8c 1030076 postgresql-client-9.3_9.3.3-1_amd64.deb
 0ae3e2f88add2854d223ce5a64db87e07692f49c5ab55bd59f2c27148a9b0a09 603518 postgresql-server-dev-9.3_9.3.3-1_amd64.deb
 a5b6876619221961b45c2211ff185ef237105aef5c54da6d2f0f03fc9e9cf3a5 1740326 postgresql-doc-9.3_9.3.3-1_all.deb
 6d4267fe930ddd3ecfcbb79aa7727ad23eb7311ca13f21c2a7070a10b1125d11 402598 postgresql-contrib-9.3_9.3.3-1_amd64.deb
 863b37f73185a5c60792e2262f7de6fcc54b8d164e034ee75b55c3edf371d998 56306 postgresql-plperl-9.3_9.3.3-1_amd64.deb
 60df96d933544f92f0a26182c08b056cf420de25bbe83f43c172a2bb86ee4845 45482 postgresql-plpython-9.3_9.3.3-1_amd64.deb
 ad803459cd2c3ac6ffb8cb68a81174b0aa26071f67d8e47a206a40471b423c79 45368 postgresql-plpython3-9.3_9.3.3-1_amd64.deb
 8a8071287a47df65e61f4af9cf5a2606b4f8c23bdedcf80b86457e78afa178cc 31698 postgresql-pltcl-9.3_9.3.3-1_amd64.deb
Files: 
 18d6bd0b715b5b5d279886451f35e5da 3317 database optional postgresql-9.3_9.3.3-1.dsc
 0247b0a24e76a3f20cc50c06d0aa2412 16665845 database optional postgresql-9.3_9.3.3.orig.tar.bz2
 aa1ed68a8a70ce509799de17dcfe39b4 27304 database optional postgresql-9.3_9.3.3-1.debian.tar.xz
 a3be928698ec5daaa7a73db2386543d7 189778 libdevel optional libpq-dev_9.3.3-1_amd64.deb
 57eaa50e51afe87daa0356b084eab21c 122844 libs optional libpq5_9.3.3-1_amd64.deb
 b95d148f479f962f1e4f82ae522cb6f5 79880 libs optional libecpg6_9.3.3-1_amd64.deb
 8fb4d0287f3a25561d13cee2eaf09f70 216232 libdevel optional libecpg-dev_9.3.3-1_amd64.deb
 e72ed9ee35f53447faa355536b7be04e 17506 libs optional libecpg-compat3_9.3.3-1_amd64.deb
 fbc08b1531ca5522fffa9c62863e02fd 39216 libs optional libpgtypes3_9.3.3-1_amd64.deb
 a967c44e79863c656c0bf3a0cdaab8f0 3443912 database optional postgresql-9.3_9.3.3-1_amd64.deb
 14c2a64c96b0d1461269d773a97075d5 7098816 debug extra postgresql-9.3-dbg_9.3.3-1_amd64.deb
 67805e388810b656c6bd140eb3bf857f 1030076 database optional postgresql-client-9.3_9.3.3-1_amd64.deb
 a92acb209a3fe22c7c029530ad9a4aa7 603518 libdevel optional postgresql-server-dev-9.3_9.3.3-1_amd64.deb
 dd8f87fbbbf3fa5b5a44b36065cb3f92 1740326 doc optional postgresql-doc-9.3_9.3.3-1_all.deb
 386241af87bedaf1a1294f96acdef473 402598 database optional postgresql-contrib-9.3_9.3.3-1_amd64.deb
 d7de3ee64ca5979a54c7cc56380215ed 56306 database optional postgresql-plperl-9.3_9.3.3-1_amd64.deb
 057120076b6fb5680238a66068692ebf 45482 database optional postgresql-plpython-9.3_9.3.3-1_amd64.deb
 0136edd61bde8fd99174cb25b7142ff9 45368 database optional postgresql-plpython3-9.3_9.3.3-1_amd64.deb
 a4ecf4249055b0477d2ed3a597e17903 31698 database optional postgresql-pltcl-9.3_9.3.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTBhynAAoJEExaa6sS0qeusjIP/1E8DGKNlRNIlrDmpx2Q5Ur3
enQ6Tsf7/4Q1r7mWiElEiTBEO8P5vSMAWMxZZ6u8iKaTp8McNQW4UcXvDL9QMOpV
0GgJ+yLXz1WbUJKHRTh5mSqXTWnUi6kO4xis/jDg2w/eeJI5f3fEWXUrbSOU1kWQ
Odz1t2faBPHWM+6Nikp5d4giswo3k+PYlzGFyfaqQwnXaYktG2iuhQHYT0VpAaVr
ksjAV0RNT74eLVQRUhOinUTEQl3qM8OvTmoDtuDtzlu8Cp8YHjTfCioQzn5kkowh
6+HOz67G9gN2hMJyQ1C7AQ1D81ejFCUVD1Bv+wAOBwSblbmjq38zeSN/2IU77nWS
Jc/FcxyhVF4pc7jzEcmAGaN2WVSfkdIb9OAyNWXqXCm1JqXBGIMfoQf5SjaSEl0o
kYuNFfQBRBGih6bMi7vtuUALxPStHrpn7Rz/M4c1lFgVXQi/+BI9RNBmPFkTWG/6
C4SSNJW4mTd7HdLE6aLJYKdcHa4jyXAgg0QMzRf8Z8k35O5vECdast/3Z8eNW/+w
5fdH54J085ncH0vftmacVxHzfZjHTeNoy70hWi2+ambrB447HK/LNjBJ2y37QN+c
IhBktt2DQN0woiXVL+GtwhkjGB5ec9mE0u5ojOOySFRCAu5ek1vZCnNANwWMrQbC
vBxffZZxhAV4vi1wo6BF
=RdEU
-----END PGP SIGNATURE-----
News for package postgresql-9.3
