-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 09 Aug 2018 23:22:41 +0200 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: source Version: 9.6.10-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org> Changed-By: Christoph Berg <myon@debian.org> Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.10-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Fix failure to reset libpq's state fully between connection attempts . An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915) . + Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT FROM ... . Erroneous expansion of an updatable view could lead to crashes or attribute ... has the wrong type errors, if the view's SELECT list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE privilege for, if that user has INSERT and UPDATE privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. (CVE-2018-10925) . * Add new pgtypes header and symbol. * Refresh debian/patches/filter-debug-prefix-map. * Update branch in Vcs-Git field. Checksums-Sha1: b7d103a4b9d15a7d1340396508c58bd9bf199e3c 3709 postgresql-9.6_9.6.10-0+deb9u1.dsc 860ff3e2ce42246f45db1fc4519f972228168242 19991204 postgresql-9.6_9.6.10.orig.tar.bz2 6f74dd052c8d2133543e4427d8925d983b1bfb83 23812 postgresql-9.6_9.6.10-0+deb9u1.debian.tar.xz Checksums-Sha256: cefe47cfbf0d58cb55644de47f76ecff57ab9043f057635857941b1f1405d1c5 3709 postgresql-9.6_9.6.10-0+deb9u1.dsc 8615acc56646401f0ede97a767dfd27ce07a8ae9c952afdb57163b7234fe8426 19991204 postgresql-9.6_9.6.10.orig.tar.bz2 8940b985ebfdcc3d1b09fdd3fa5e79ac55d6f70641baae1759e51b8ed6230d58 23812 postgresql-9.6_9.6.10-0+deb9u1.debian.tar.xz Files: 5875dcb56ac47d52f1da6d939e0578a9 3709 database optional postgresql-9.6_9.6.10-0+deb9u1.dsc 9a7f465252c0fbe2212566e3c079e062 19991204 database optional postgresql-9.6_9.6.10.orig.tar.bz2 d61583b153549dfbc8a3262806241a2e 23812 database optional postgresql-9.6_9.6.10-0+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAltst8QACgkQTFprqxLS p65WOg//UqRZlNfNQtXXGEcxTGPhk46iYOv4pNsDwTdHPUkhKrCZMbQd3jNaJupo Y3GJW8KAQlcgpXUufCVKiYqU8c4nUE3cxNoGsPZhsZxV95gU0LJPuQuTnq0aXBEd yFcKjS+uarQ+Vq2XNgLEnJU93+Qs3nUKkqhkE4c4DinHY+KlM53IMqsefPNBXuhO 4OtFgmm23VPjGmoE0SFNm/GL5ugocdXeWruzuwk6OqvJjmU/XyzGkcfg9HB7+T2G BknkCfYOv9pehecRfp/+RSjv1yK0Rkh4EEMX7OPRhmF5/2bqO8Z7BqKxejJMnRr9 YVJxVm2ypY8kneB0kdy25A5ubI00ubYjVOLD7cwYxsmdGz/aquHm2t3x2/eJgdz/ rUzgKZ6XtuxWs5rB38YnzMGXNEZwNNxpKrajUHYLRViP9vQpD/1R5iOslBNCIbZF q2gx6+20iZIDZjycYt4Ogumz5AAXTl+kmQ7N+efdViNre+spBcyj6+YGW9xi0R22 W4XGIsdEtLRxP+L5PYL+GjykXYZlWA+07dDsmru+XLTpi6ntIHGJjFsTKYLgz0mg 6OjGgqJvWU+rITjG33c8kPvaQoqMCLexpEU34rENoUmhT7lktewRm2pk85BBvtQU JOwLP6bvoUAk3uNqvJ1ahUpG3SexQfeJLpqSLJCu2TbAP4ReGTE= =vPmg -----END PGP SIGNATURE-----