postgresql-16 - Debian Package Tracker

general

source: postgresql-16 (main)
version: 16.4-3
maintainer: Debian PostgreSQL Maintainers (DMD)
uploaders: Martin Pitt [DMD] – Peter Eisentraut [DMD] – Christoph Berg [DMD]
arch: all any
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

testing: 16.4-3
unstable: 16.4-3

versioned links

16.4-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libecpg-compat3
libecpg-dev
libecpg6
libpgtypes3
libpq-dev (1 bugs: 0, 1, 0, 0)
libpq5
postgresql-16
postgresql-client-16
postgresql-doc-16
postgresql-plperl-16
postgresql-plpython3-16
postgresql-pltcl-16
postgresql-server-dev-16

action needed

A new upstream version is available: 16.5 high

A new upstream version 16.5 is available, you should consider packaging it.

Created: 2024-11-17 Last update: 2024-11-21 07:31

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2024-10976: Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10977: Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10978: Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Created: 2024-11-14 Last update: 2024-11-15 03:35

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2024-10976: Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10977: Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10978: Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Created: 2024-11-14 Last update: 2024-11-15 03:35

debian/patches: 7 patches with invalid metadata, 9 patches to forward upstream high

Among the 16 debian patches available in version 16.4-3 of the package, we noticed the following issues:

7 patches with invalid metadata that ought to be fixed.
9 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-09-14 Last update: 2024-10-09 07:05

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 16.6-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d2ceae8274161f440d8ec08abcfe479808881771
Author: Christoph Berg <myon@debian.org>
Date:   Tue Nov 19 15:41:19 2024 +0100

    New upstream version 16.6.
    
      + Repair ABI break for extensions that work with struct ResultRelInfo
        Last week's minor releases unintentionally broke binary compatibility
        with timescaledb and several other extensions.  Restore the affected
        structure to its previous size, so that such extensions need not be
        rebuilt.
      + Restore functionality of ALTER {ROLE|DATABASE} SET role
        The fix for CVE-2024-10978 accidentally caused settings for role to not
        be applied if they come from non-interactive sources, including previous
        ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.

Created: 2024-08-17 Last update: 2024-11-21 12:37

Depends on packages which need a new maintainer normal

The packages that postgresql-16 depends on which need a new maintainer are:

docbook-xml (#802368)
- Build-Depends: docbook-xml
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2023-09-14 Last update: 2024-11-21 10:28

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2024-03-19 Last update: 2024-03-19 12:12

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.5.0).

Created: 2023-09-14 Last update: 2024-10-09 01:04

testing migrations

This package is part of the ongoing testing transition known as llvm-defaults-19. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-icu transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2024-11-08] postgresql-16 16.4-3 MIGRATED to testing (Debian testing watch)
[2024-11-07] postgresql-16 REMOVED from testing (Debian testing watch)
[2024-10-13] postgresql-16 16.4-3 MIGRATED to testing (Debian testing watch)
[2024-10-08] Accepted postgresql-16 16.4-3 (source) into unstable (Christoph Berg)
[2024-10-07] Accepted postgresql-16 16.4-2 (source) into unstable (Christoph Berg)
[2024-08-12] postgresql-16 16.4-1 MIGRATED to testing (Debian testing watch)
[2024-08-08] Accepted postgresql-16 16.4-1 (source) into unstable (Christoph Berg)
[2024-05-14] postgresql-16 16.3-1 MIGRATED to testing (Debian testing watch)
[2024-05-09] Accepted postgresql-16 16.3-1 (source) into unstable (Christoph Berg)
[2024-05-03] postgresql-16 16.2-2 MIGRATED to testing (Debian testing watch)
[2024-03-18] Accepted postgresql-16 16.2-2 (source) into unstable (Christoph Berg)
[2024-02-13] postgresql-16 16.2-1 MIGRATED to testing (Debian testing watch)
[2024-02-08] Accepted postgresql-16 16.2-1 (source) into unstable (Christoph Berg)
[2023-11-14] postgresql-16 16.1-1 MIGRATED to testing (Debian testing watch)
[2023-11-10] Accepted postgresql-16 16.1-1 (source) into unstable (Christoph Berg)
[2023-09-16] postgresql-16 16.0-2 MIGRATED to testing (Debian testing watch)
[2023-09-14] Accepted postgresql-16 16.0-2 (source) into unstable (Christoph Berg)
[2023-09-07] Accepted postgresql-16 16~rc1-2 (source) into experimental (Christoph Berg)
[2023-08-31] Accepted postgresql-16 16~rc1-1 (source) into experimental (Christoph Berg)
[2023-08-10] Accepted postgresql-16 16~beta3-1 (source) into experimental (Christoph Berg)
[2023-06-30] Accepted postgresql-16 16~beta2-1 (source) into experimental (Christoph Berg)
[2023-05-24] Accepted postgresql-16 16~beta1-2 (source) into experimental (Christoph Berg)
[2023-05-23] Accepted postgresql-16 16~beta1-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Christoph Berg)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (100, 98)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 16.4-1build1
5 bugs (1 patch)