postgresql-17 - Debian Package Tracker

general

source: postgresql-17 (main)
version: 17.1-1
maintainer: Debian PostgreSQL Maintainers (DMD)
uploaders: Peter Eisentraut [DMD] – Christoph Berg [DMD] – Martin Pitt [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

testing: 17.0-1
unstable: 17.1-1

versioned links

17.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
17.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libecpg-compat3
libecpg-dev
libecpg6
libpgtypes3
libpq-dev (1 bugs: 0, 1, 0, 0)
libpq5
postgresql-17 (2 bugs: 0, 2, 0, 0)
postgresql-client-17 (2 bugs: 0, 2, 0, 0)
postgresql-doc-17
postgresql-plperl-17
postgresql-plpython3-17
postgresql-pltcl-17
postgresql-server-dev-17

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in an unknown time
Last run: 2024-11-15T00:34:51.000Z
Previous status: unknown

testing: fail (log)
The tests ran in an unknown time
Last run: 2024-11-18T20:15:14.000Z
Previous status: unknown

Created: 2024-11-04 Last update: 2024-11-21 09:35

debian/patches: 7 patches with invalid metadata, 7 patches to forward upstream high

Among the 14 debian patches available in version 17.1-1 of the package, we noticed the following issues:

7 patches with invalid metadata that ought to be fixed.
7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-09-05 Last update: 2024-11-15 09:00

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2024-10976: Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10977: Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10978: Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Created: 2024-11-14 Last update: 2024-11-15 03:35

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2024-11-20 Last update: 2024-11-21 09:32

Depends on packages which need a new maintainer normal

The packages that postgresql-17 depends on which need a new maintainer are:

docbook-xml (#802368)
- Build-Depends: docbook-xml
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2024-09-05 Last update: 2024-11-21 06:33

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2024-10-24 Last update: 2024-11-21 03:36

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 17.2-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit fbda4786353a327173dcb3356de405b5558583cf
Author: Christoph Berg <myon@debian.org>
Date:   Tue Nov 19 15:41:19 2024 +0100

    New upstream version 17.2.
    
      + Repair ABI break for extensions that work with struct ResultRelInfo
        Last week's minor releases unintentionally broke binary compatibility
        with timescaledb and several other extensions.  Restore the affected
        structure to its previous size, so that such extensions need not be
        rebuilt.
      + Restore functionality of ALTER {ROLE|DATABASE} SET role
        The fix for CVE-2024-10978 accidentally caused settings for role to not
        be applied if they come from non-interactive sources, including previous
        ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

Created: 2024-11-19 Last update: 2024-11-19 18:34

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2024-10-15 Last update: 2024-10-15 19:04

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.5.0).

Created: 2024-09-05 Last update: 2024-11-15 02:03

testing migrations

This package is part of the ongoing testing transition known as llvm-defaults-19. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-icu transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for postgresql-17 (17.0-1 to 17.1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ autopkgtest for postgresql-17/17.1-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ autopkgtest for timescaledb/2.17.2+dfsg-1: amd64: Regression or new test ♻ (reference ♻), arm64: Regression or new test ♻ (reference ♻), ppc64el: Regression or new test ♻ (reference ♻), riscv64: Regression or new test ♻ (reference ♻)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/postgresql-17.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- ∙ ∙ Reproducible on i386 - info ♻
- ∙ ∙ 6 days old (needed 5 days)
- Not considered

news

[rss feed]

[2024-11-14] Accepted postgresql-17 17.1-1 (source) into unstable (Christoph Berg)
[2024-09-28] postgresql-17 17.0-1 MIGRATED to testing (Debian testing watch)
[2024-09-26] Accepted postgresql-17 17.0-1 (source) into unstable (Christoph Berg)
[2024-09-09] postgresql-17 17~rc1-1 MIGRATED to testing (Debian testing watch)
[2024-09-05] Accepted postgresql-17 17~rc1-1 (source) into unstable (Christoph Berg)
[2024-08-08] Accepted postgresql-17 17~beta3-1 (source) into experimental (Christoph Berg)
[2024-06-25] Accepted postgresql-17 17~beta2-1 (source) into experimental (Christoph Berg)
[2024-05-23] Accepted postgresql-17 17~beta1-1 (source) into experimental (Christoph Berg)
[2024-05-11] Accepted postgresql-17 17~~devel20240509-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Christoph Berg)

bugs [bug history graph]

all: 5
RC: 0
I&N: 5
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, 97)
debian patches
debci