Debian Package Tracker

From: Christoph Berg <christoph.berg@credativ.de>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted postgresql-10 10.5-1 (source) into unstable
Date: Thu, 09 Aug 2018 06:49:04 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Aug 2018 10:56:16 +0200
Source: postgresql-10
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-10 postgresql-client-10 postgresql-server-dev-10 postgresql-doc-10 postgresql-plperl-10 postgresql-plpython-10 postgresql-plpython3-10 postgresql-pltcl-10
Architecture: source
Version: 10.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.berg@credativ.de>
Description:
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 10
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-10 - object-relational SQL database, version 10 server
 postgresql-client-10 - front-end programs for PostgreSQL 10
 postgresql-doc-10 - documentation for the PostgreSQL database management system
 postgresql-plperl-10 - PL/Perl procedural language for PostgreSQL 10
 postgresql-plpython-10 - PL/Python procedural language for PostgreSQL 10
 postgresql-plpython3-10 - PL/Python 3 procedural language for PostgreSQL 10
 postgresql-pltcl-10 - PL/Tcl procedural language for PostgreSQL 10
 postgresql-server-dev-10 - development files for PostgreSQL 10 server-side programming
Changes:
 postgresql-10 (10.5-1) unstable; urgency=medium
 .
   * New upstream version.
     + Fix failure to reset libpq's state fully between connection attempts
 .
       An unprivileged user of dblink or postgres_fdw could bypass the checks
       intended to prevent use of server-side credentials, such as a ~/.pgpass
       file owned by the operating-system user running the server.  Servers
       allowing peer authentication on local connections are particularly
       vulnerable.  Other attacks such as SQL injection into a postgres_fdw
       session are also possible. Attacking postgres_fdw in this way requires
       the ability to create a foreign server object with selected connection
       parameters, but any user with access to dblink could exploit the
       problem. In general, an attacker with the ability to select the
       connection parameters for a libpq-using application could cause
       mischief, though other plausible attack scenarios are harder to think
       of. Our thanks to Andrew Krasichkov for reporting this issue.
       (CVE-2018-10915)
 .
     + Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT
       FROM ...
 .
       Erroneous expansion of an updatable view could lead to crashes or
       attribute ... has the wrong type errors, if the view's SELECT list
       doesn't match one-to-one with the underlying table's columns.
       Furthermore, this bug could be leveraged to allow updates of columns
       that an attacking user lacks UPDATE privilege for, if that user has
       INSERT and UPDATE privileges for some other column(s) of the table. Any
       user could also use it for disclosure of server memory. (CVE-2018-10925)
 .
   * Remove version checking for libselinux1-dev, 2.1.10 is old enough now.
   * Drop support for tcl8.5.
   * Use dh_auto_configure to correctly seed the build architecture.
   * Filter -fdebug-prefix-map and -ffile-prefix-map in more places, and make
     PGXS modules build reproducibly.
   * Add new pgtypes header and symbol.
Checksums-Sha1:
 296ca0aaa820857c053cd14e7ef0ef4d482ff4a1 3461 postgresql-10_10.5-1.dsc
 8c7b4406b0ba2987f4170657f89908ad47947429 20284578 postgresql-10_10.5.orig.tar.bz2
 e9033b326eb23a1910a8a18654010b4de9ee64ec 24872 postgresql-10_10.5-1.debian.tar.xz
Checksums-Sha256:
 e927a34c348539e6f4dd38f639263ccc28db682522bbd2810ffb76d2d22a3f2a 3461 postgresql-10_10.5-1.dsc
 6c8e616c91a45142b85c0aeb1f29ebba4a361309e86469e0fb4617b6a73c4011 20284578 postgresql-10_10.5.orig.tar.bz2
 e00c056c95611df8cd85a90d6bdab94efcfea1efdba36aa29cc7636df8c25b06 24872 postgresql-10_10.5-1.debian.tar.xz
Files:
 b72f8eb5844a22794e7d0738b6a201f6 3461 database optional postgresql-10_10.5-1.dsc
 a5fe5fdff2d6c28f65601398be0950df 20284578 database optional postgresql-10_10.5.orig.tar.bz2
 d54f8138856955af61eec9587d656191 24872 database optional postgresql-10_10.5-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAltr4FEACgkQTFprqxLS
p65qxRAAlfRfr7mi/I/45m5ZSn8zI0XZlvLSRObI7zqH4M1QGVTDAzW2kt6rZDec
1vXNyRDxvem3c2EAkqlOMKgPvm3Sz918/NBLt8sKtiiT5ug/nHVOBLsz8hOjQerb
2g4BRK1069rt4CKBl+o5gadcGbGf2NnHx7RV2ShqNcycqGHL1XGwzKuL78uvaWzl
io22rp1ecj0Wb0hmnDlmT4kBkY9Q6D6CWOCUoxjHhRfWB4raCtATIr3PDNp7L88i
L0WvcfCkKt2NBE1phuasbRlzpAHneGY0P3HS/LL0aLMpAWjAQAoRCz4hjJl3qXKI
maammvg/Oa5RNHKaL4hbubQuxQ13tWZQJqCmu24+TJgO3FW0ZmE34MUP/GZby6Hu
E9wLmwLE/WFwM/9rM/q4/QXxW+icMGSpg8upmJ1cDkqZSbai0SITp7mc8cE2UESc
VaBDDE0TOgVaYtf7cUzV9ca1jn5y7dYggh5PAG+iYWJNFw6bgswOz6Q7yDj7CHoM
7g3BkLXldZbS0M+8l8Y+O3mUDzInEhBJN1dznYu8vWzosMgNYZ8Q7mEZEO1DcAYD
lh0TStpnoxiluuSjqdtb1lvMjZfV/C/tw5nRBGDSBdkqAb2sIFqFIYAhAEnLYMva
ZD8wZ7wpRaoGr1KppDQb/Joiok66re0U6zwMLG9NaHD02en1wLk=
=hf9P
-----END PGP SIGNATURE-----
News for package postgresql-10
