-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 27 Feb 2018 12:54:34 +0100
Source: postgresql-10
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-10 postgresql-client-10 postgresql-server-dev-10 postgresql-doc-10 postgresql-plperl-10 postgresql-plpython-10 postgresql-plpython3-10 postgresql-pltcl-10
Architecture: source
Version: 10.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.berg@credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3 - shared library libpgtypes for PostgreSQL 10
libpq-dev - header files for libpq5 (PostgreSQL library)
libpq5 - PostgreSQL C client library
postgresql-10 - object-relational SQL database, version 10 server
postgresql-client-10 - front-end programs for PostgreSQL 10
postgresql-doc-10 - documentation for the PostgreSQL database management system
postgresql-plperl-10 - PL/Perl procedural language for PostgreSQL 10
postgresql-plpython-10 - PL/Python procedural language for PostgreSQL 10
postgresql-plpython3-10 - PL/Python 3 procedural language for PostgreSQL 10
postgresql-pltcl-10 - PL/Tcl procedural language for PostgreSQL 10
postgresql-server-dev-10 - development files for PostgreSQL 10 server-side programming
Changes:
postgresql-10 (10.3-1) unstable; urgency=medium
.
* New upstream version.
.
If you run an installation in which not all users are mutually
trusting, or if you maintain an application or extension that is
intended for use in arbitrary situations, it is strongly recommended
that you read the documentation changes described in the first changelog
entry below, and take suitable steps to ensure that your installation or
code is secure.
.
Also, the changes described in the second changelog entry below may
cause functions used in index expressions or materialized views to fail
during auto-analyze, or when reloading from a dump. After upgrading,
monitor the server logs for such problems, and fix affected functions.
.
+ Document how to configure installations and applications to guard
against search-path-dependent trojan-horse attacks from other users
.
Using a search_path setting that includes any schemas writable by a
hostile user enables that user to capture control of queries and then
run arbitrary SQL code with the permissions of the attacked user. While
it is possible to write queries that are proof against such hijacking,
it is notationally tedious, and it's very easy to overlook holes.
Therefore, we now recommend configurations in which no untrusted schemas
appear in one's search path.
(CVE-2018-1058)
.
+ Avoid use of insecure search_path settings in pg_dump and other client
programs
.
pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
were themselves vulnerable to the type of hijacking described in the
previous changelog entry; since these applications are commonly run by
superusers, they present particularly attractive targets. To make them
secure whether or not the installation as a whole has been secured,
modify them to include only the pg_catalog schema in their search_path
settings. Autovacuum worker processes now do the same, as well.
.
In cases where user-provided functions are indirectly executed by these
programs -- for example, user-provided functions in index expressions --
the tighter search_path may result in errors, which will need to be
corrected by adjusting those user-provided functions to not assume
anything about what search path they are invoked under. That has always
been good practice, but now it will be necessary for correct behavior.
(CVE-2018-1058)
Checksums-Sha1:
f9eee194b9833f22656e8227bc7f2d938021384f 3474 postgresql-10_10.3-1.dsc
93882ad46aa15fd45bfa53cb7f6532c3070d6964 19959653 postgresql-10_10.3.orig.tar.bz2
7ece926244c9a28f39d5a8175de57adcd4c13eb8 22800 postgresql-10_10.3-1.debian.tar.xz
fe681168597a63d1b7d32b451ac2f2dc7e48ad4f 8193 postgresql-10_10.3-1_source.buildinfo
Checksums-Sha256:
4d1c2d805241ffe873483c66fa531eac1cd785a6dbcfb452e38591abea5d24c7 3474 postgresql-10_10.3-1.dsc
6ea268780ee35e88c65cdb0af7955ad90b7d0ef34573867f223f14e43467931a 19959653 postgresql-10_10.3.orig.tar.bz2
5349970dd7c757b7dfcaec64d39bc457f15afd65f2307c976a3ce868b49c59bd 22800 postgresql-10_10.3-1.debian.tar.xz
1ce988a6632db9d3837b7f38e1176801dbeff3ba8d1fcfcba5c3dd779b36ef31 8193 postgresql-10_10.3-1_source.buildinfo
Files:
50cc830c2b22618ff645db6b3a78af43 3474 database optional postgresql-10_10.3-1.dsc
506498796a314c549388cafb3d5c717a 19959653 database optional postgresql-10_10.3.orig.tar.bz2
a726e913758688ab93aa0a65d3e9b952 22800 database optional postgresql-10_10.3-1.debian.tar.xz
f01c67ca2979e86a7427a486e64962c3 8193 database optional postgresql-10_10.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAlqX0cwACgkQTFprqxLS
p67ddg/+Ktp1YqXdLxW5YU5wRgdIXq8lHXqdVMHdkXf1pHWCetOESuyMbxi0sutD
jTEQkt5rfYQxK6OAuRZaSUB+86ef1kDOx1rqJBzo1Yrc/Cg0dn/GKIzj1hdij8S/
DEkLjXILeCgOCfOpqpzh270KxAL72VxpT/obbssHPcXq8Ho2Xfo4k+KgmmFV8Jnc
go2sgfVap55NQnMrn5cE+zKLSarlLPXD/c4LH6VJLwi768idmJH7u2Kw7E0f+O8l
FaJ9bR6dLlXc1UTZTbDZ1899JhRHl/7a6x+sbONM15i0JqVoLeYGXMbHbmMZg2D4
CYWJihGbIa5bD3Gv1k9Ivhdz6soKRm/gzZrryW1AlctWdYkYao+elSteapfSX6Nc
F1ltJ/N8KZsivxei6y+FHUmRSkYte8PHpyEdZvVWZVDf+NsNF2JhhZGodpXNCaSx
Wa6MV5+YELKs39/t/wOqO1dxB0SUY3imUsJkzSP7jrT05Pqpsb80ke3z6aAcapLJ
zX1ZjsAx9rn0e7oup6BdHBVXb547kubSAy62YHpIhvOKnoCJ7DWF4fQOrAxX4XC1
g1jZMF8xdvQ6SEBxTuI8Cg677H9Nht6TF32RVijOWgWGccPmVBkrXIHlihMPGzFA
XSYX3RZ7OAvAKEdvdx159wvtFMgGy7MRvRTczNAgUxL+MTyNHYI=
=0sKU
-----END PGP SIGNATURE-----
