-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 08 Nov 2017 10:40:59 +0100 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.6-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org> Changed-By: Christoph Berg <christoph.berg@credativ.de> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.6-0+deb9u1) stretch-security; urgency=medium . * New upstream version. . + Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed) . The update path of INSERT ... ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified). (CVE-2017-15099) . + Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane) . These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098) . + Fix BRIN index summarization to handle concurrent table extension correctly (Álvaro Herrera) . Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem. Checksums-Sha1: dc443ecff8da540c9933815568de1cc3e8fe19bc 3694 postgresql-9.6_9.6.6-0+deb9u1.dsc bd911c2a2ee25086cfebe03f3483f82c38210cdb 19605724 postgresql-9.6_9.6.6.orig.tar.bz2 9cd1d83923be23136310183bb3b27f94f333c7e1 21644 postgresql-9.6_9.6.6-0+deb9u1.debian.tar.xz 2e51375f681139596c1b9253db01638e60fc3f49 8555 postgresql-9.6_9.6.6-0+deb9u1_source.buildinfo Checksums-Sha256: 1aae9e0c6960f7466b883211fe165612545d14166a6ca80ebfef5fe8b2fa54cf 3694 postgresql-9.6_9.6.6-0+deb9u1.dsc 399cdffcb872f785ba67e25d275463d74521566318cfef8fe219050d063c8154 19605724 postgresql-9.6_9.6.6.orig.tar.bz2 e20cde135f7a74f7efa0785e8405c063d0fc1f2091f8aee933f81ce277938dbc 21644 postgresql-9.6_9.6.6-0+deb9u1.debian.tar.xz 3917d6daeac2da931c63e4b348fbb56e21448b16aa2c20c08e2043ce0d11536d 8555 postgresql-9.6_9.6.6-0+deb9u1_source.buildinfo Files: 86fc471f7fa47c6c58d4507c5b92f5c9 3694 database optional postgresql-9.6_9.6.6-0+deb9u1.dsc 7c65858172597de7937efd88f208969b 19605724 database optional postgresql-9.6_9.6.6.orig.tar.bz2 dc43771b58faa1a08c75d9e4a837dbf6 21644 database optional postgresql-9.6_9.6.6-0+deb9u1.debian.tar.xz b0e34d85abcf788dcbb66dae56f182e9 8555 database optional postgresql-9.6_9.6.6-0+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAloDG4UACgkQTFprqxLS p66wxw/8DoRvpise2P5tSSXIt5J+pKNIGgHy34g8fWNV6n0elxdVl4Y8qPl+3lIB Od3OXw8dwTIyAHIgnRgXSE4CZSUv2kOxeoKtxRJZQVuAWfQrjg/md4gOn9K3KpEw Mahl+yk5ZVNfDodLGktLaGPmGgj7gH1PMloBQ2cQoA6uIHy6xIRkMx3mg6/1peV+ J7qXM0fkFaIhAXh3HtZAhJ38qJkNojDZqiGkm14O7DunGCW3etlagiCkT+9Gwjl/ 1NYG06Avc20vKjManpVNedz6n5fOLwMr2Z95riu0/+YH49Pyay5qUlLo+L3k5C3N KR5LNhh/yNtAs2YRAANjG5j/A+W+Dw3W6C5gRY9dLcQbqvIRqI/ysPGf1UfmJVLO QZABdZSygbcscpYIHxCmkgVlup4i7vhTweT3QotX0qnkeNdXLUJbRRyX5oxqsQv5 RHhrAXgiQLRU+tZtvtd8cJYfDOd6RZZEKBSXIQ/tk7KWZdHYuM6yvnQjhL9DL/W/ gveAJkvWrMvkFMhtPNBHC35sppiLSeG9jGTFtMmQuZmdOHdKlVVVYFPYbld4H24K mMZJRqOz6bPHs8H/gsEYBesJfwX+AwRxPTxV4jzSYIvZYukj3WKwUQeiiM4kFXYc e85q2n9Z0ltc0GeEyJEpOhS6M/cEvwKBi+f4NPL8DpLOZYhEw2I= =9/9R -----END PGP SIGNATURE-----