[Pkg-postgresql-public] postgresql-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.changes ACCEPTED into wheezy-backports->backports-policy, wheezy-backports
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Wed Nov 25 22:02:54 UTC 2015
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Nov 2015 15:46:13 +0100
Source: postgresql-9.4
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.4 postgresql-9.4-dbg postgresql-client-9.4 postgresql-server-dev-9.4 postgresql-doc-9.4 postgresql-contrib-9.4 postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4 postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.5-0+deb8u1~bpo70+1
Distribution: wheezy-backports
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public at lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.berg at credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3 - shared library libpgtypes for PostgreSQL 9.4
libpq-dev - header files for libpq5 (PostgreSQL library)
libpq5 - PostgreSQL C client library
postgresql-9.4 - object-relational SQL database, version 9.4 server
postgresql-9.4-dbg - debug symbols for postgresql-9.4
postgresql-client-9.4 - front-end programs for PostgreSQL 9.4
postgresql-contrib-9.4 - additional facilities for PostgreSQL
postgresql-doc-9.4 - documentation for the PostgreSQL database management system
postgresql-plperl-9.4 - PL/Perl procedural language for PostgreSQL 9.4
postgresql-plpython-9.4 - PL/Python procedural language for PostgreSQL 9.4
postgresql-plpython3-9.4 - PL/Python 3 procedural language for PostgreSQL 9.4
postgresql-pltcl-9.4 - PL/Tcl procedural language for PostgreSQL 9.4
postgresql-server-dev-9.4 - development files for PostgreSQL 9.4 server-side programming
Closes: 706849 749686 750111 750112 756627 757520 760564 762389 763098 764705 786874
Changes:
postgresql-9.4 (9.4.5-0+deb8u1~bpo70+1) wheezy-backports; urgency=low
.
* Rebuild for wheezy-backports.
.
postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium
.
* New upstream security release.
.
+ Guard against stack overflows in json parsing (Oskari Saarenmaa)
.
If an application constructs PostgreSQL json or jsonb values from
arbitrary user input, the application's users can reliably crash the
PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)
.
+ Fix contrib/pgcrypto to detect and report too-short crypt() salts
(Josh Kupershmidt)
.
Certain invalid salt arguments crashed the server or disclosed a few
bytes of server memory. We have not ruled out the viability of attacks
that arrange for presence of confidential information in the disclosed
bytes, but they seem unlikely. (CVE-2015-5288)
.
postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium
.
* New upstream version.
+ Fix possible failure to recover from an inconsistent database state
+ Fix rare failure to invalidate relation cache init file
.
postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium
.
* New upstream version:
Avoid failures while fsync'ing data directory during crash restart
(Abhijit Menon-Sen, Tom Lane; Closes: #786874)
.
postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium
.
* New upstream version.
.
+ Avoid possible crash when client disconnects just before the
authentication timeout expires (Benkocs Norbert Attila)
.
If the timeout interrupt fired partway through the session shutdown
sequence, SSL-related state would be freed twice, typically causing a
crash and hence denial of service to other sessions. Experimentation
shows that an unauthenticated remote attacker could trigger the bug
somewhat consistently, hence treat as security issue. (CVE-2015-3165)
.
+ Improve detection of system-call failures (Noah Misch)
.
Our replacement implementation of snprintf() failed to check for errors
reported by the underlying system library calls; the main case that
might be missed is out-of-memory situations. In the worst case this
might lead to information exposure, due to our code assuming that a
buffer had been overwritten when it hadn't been. Also, there were a few
places in which security-relevant calls of other system library
functions did not check for failure.
.
It remains possible that some calls of the *printf() family of functions
are vulnerable to information disclosure if an out-of-memory error
occurs at just the wrong time. We judge the risk to not be large, but
will continue analysis in this area. (CVE-2015-3166)
.
+ In contrib/pgcrypto, uniformly report decryption failures as Wrong key
or corrupt data (Noah Misch)
.
Previously, some cases of decryption with an incorrect key could report
other error message texts. It has been shown that such variance in
error reports can aid attackers in recovering keys from other systems.
While it's unknown whether pgcrypto's specific behaviors are likewise
exploitable, it seems better to avoid the risk by using a
one-size-fits-all message. (CVE-2015-3167)
.
+ Protect against wraparound of multixact member IDs
(Álvaro Herrera, Robert Haas, Thomas Munro)
.
Under certain usage patterns, the existing defenses against this might
be insufficient, allowing pg_multixact/members files to be removed too
early, resulting in data loss.
The fix for this includes modifying the server to fail transactions that
would result in overwriting old multixact member ID data, and improving
autovacuum to ensure it will act proactively to prevent multixact member
ID wraparound, as it does for transaction ID wraparound.
.
* Repository moved to git, update Vcs headers.
.
postgresql-9.4 (9.4.1-1) unstable; urgency=medium
.
* New upstream version.
+ libpq5: Name lookups fixed in minimal chroots (Closes: #756627)
+ Fix buffer overruns in to_char() (CVE-2015-0241)
+ Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243)
+ Fix possible loss of frontend/backend protocol synchronization after an
error (CVE-2015-0244)
+ Fix information leak via constraint-violation error messages
(CVE-2014-8161)
.
postgresql-9.4 (9.4.0-1) unstable; urgency=medium
.
* 9.4 released.
* libpq5.symbols: PQhostaddr removed; it was new in 9.4.
.
postgresql-9.4 (9.4~rc1-1) unstable; urgency=medium
.
* First 9.4 RC release.
* Update psql call in dump-reload instructions.
* Reenable 010_pg_basebackup.t tests, fixed upstream.
.
postgresql-9.4 (9.4~beta3-3) unstable; urgency=medium
.
* Temporarily disable failing test in 010_pg_basebackup.t.
.
postgresql-9.4 (9.4~beta3-2) unstable; urgency=medium
.
* postgresql-9.4.preinst: Output detailed dump-reload instructions when
refusing the package upgrade, and also add a NEWS item about it.
(Closes: #764705)
* Add libipc-run-perl for the regression tests which otherwise skip large
parts.
* Update Standards-Version.
.
postgresql-9.4 (9.4~beta3-1) unstable; urgency=medium
.
* New upstream beta version.
+ Catalog version number changed, older 9.4 clusters need to be dumped and
reloaded.
+ Regexp regression fixed. (Closes: #760564)
+ CACHE_LINE_SIZE definition renamed to mitigate conflict on *BSD.
(Closes: #763098)
.
[ Martin Pitt ]
* Add missing logrotate test dependency.
.
[ Christoph Berg ]
* Set Multi-Arch: foreign in postgresql-client-9.4 and postgresql-doc-9.4.
(Closes: #757520; do it even on non-multiarch dists, it doesn't hurt.)
* Fix postgresql_fdw in description, spotted by Zack Weinberg, thanks!
(Closes: #762389)
.
postgresql-9.4 (9.4~beta2-1) unstable; urgency=low
.
* New upstream beta version.
+ Secure Unix-domain sockets of temporary postmasters started during make
check (Noah Misch)
.
Any local user able to access the socket file could connect as the
server's bootstrap superuser, then proceed to execute arbitrary code as
the operating-system user running the test, as we previously noted in
CVE-2014-0067. This change defends against that risk by placing the
server's socket in a temporary, mode 0700 subdirectory of /tmp.
.
* postgresql-9.4.preinst: Fail upgrade when upgrading from beta1, the
catalog version changed. People should dump/remove their old clusters
first.
* Use util-linux' uuid lib as backend for the uuid-ossp extension
(--with-uuid=e2fs).
* Enable sepgsql (--with-selinux). On systems with libselinux1-dev < 2.1.10,
this is automatically disabled.
* Revert multiarch for libpq-dev and libecpg-dev. (Closes: #750111, #750112)
* Remove our pg_regress patches to support --host=/path. Implemented
upstream as fix for CVE-2014-0067.
* debian/copyright: Say that there are various copyright holders for the
contrib modules. (Hello Lintian!)
* Update Vcs URLs.
.
postgresql-9.4 (9.4~beta1-2) experimental; urgency=medium
.
* Update watch file for 9.4.
* Enable multiarch support in libpq and friends. (Closes: #706849)
Support is automatically disabled when the distribution does not support
it.
* Stop providing postgresql-dbg in postgresql-9.4-dbg. Its only purpose was
to conflict with other postgresql-*-dbg packages, and that's no longer
needed with build-id debug symbols.
* Skip -pie on 32bit archs for performance and stability reasons.
Closes: #749686; details at
http://www.postgresql.org/message-id/20140519115318.GB7296@msgid.df7cb.de
* Update contrib copyright statements, and move them to a separate file.
Thanks to Thorsten Alteholz for reviewing the package.
.
postgresql-9.4 (9.4~beta1-1) experimental; urgency=low
.
* Update for 9.4. Packaging based on 9.3 branch.
* Bump to debhelper 9 to get debug symbol files based on build-ids.
Checksums-Sha1:
8a4b113d19b9cf083db861a48ec49f94a7ee022d 3417 postgresql-9.4_9.4.5-0+deb8u1~bpo70+1.dsc
266b8e92cdced161b6a98d4eda0810e4b61fcf49 17660960 postgresql-9.4_9.4.5.orig.tar.bz2
52a0a03af210908b8204ec905b60aa24e427e5b3 24847 postgresql-9.4_9.4.5-0+deb8u1~bpo70+1.debian.tar.gz
b5d076e6cf71075157b68b50768483679f837d13 160824 libpq-dev_9.4.5-0+deb8u1~bpo70+1_amd64.deb
2cfc56aaff240e0bdb3c6383516e4d15b11b8303 122104 libpq5_9.4.5-0+deb8u1~bpo70+1_amd64.deb
a89519fb363353b6f83dae62ee34f5bd22ab0b38 78692 libecpg6_9.4.5-0+deb8u1~bpo70+1_amd64.deb
34207121b507017a9c28a0633a016b4038125e17 218242 libecpg-dev_9.4.5-0+deb8u1~bpo70+1_amd64.deb
49f4f73c0f76dcdaeda9ff99c1ea10681fabea25 14652 libecpg-compat3_9.4.5-0+deb8u1~bpo70+1_amd64.deb
29836035ddb2b3b65824d00983e83363ca7f20d7 36324 libpgtypes3_9.4.5-0+deb8u1~bpo70+1_amd64.deb
65b9fbe3745049fd7473e542c7c9fc1098cfebf6 3657650 postgresql-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
50d7308d8544434fdbc3e1e8979ba9ede246b98d 12407872 postgresql-9.4-dbg_9.4.5-0+deb8u1~bpo70+1_amd64.deb
92921e862bfe832f88fd93eb26b98dd785b25e86 1072670 postgresql-client-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
f4a7462fbc31bf2ed110d3d0ac48b5546d67a293 635426 postgresql-server-dev-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
0e6ad6ab5495f61e025fd9fdf9852af5a166b8f1 1826962 postgresql-doc-9.4_9.4.5-0+deb8u1~bpo70+1_all.deb
de266cf9324e0726c3a5b2145e236ca79d77cbf8 438004 postgresql-contrib-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
2c98f52c96395939633f9ebe423df2a2a7ad6853 54554 postgresql-plperl-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
702be8cbfda49988c040d4b7cf487971fedd923e 43668 postgresql-plpython-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
e02b3421a50cb4056edd88d6635f16cb7b5182f5 43768 postgresql-plpython3-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
bace2f419106d0a9d29178b7e80dd1686636f6e0 29446 postgresql-pltcl-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
Checksums-Sha256:
2fd9d56811a45b8d3e7c0bfc7073f56e8c4c4ce5fa5f4346abcfc7fdffe157e1 3417 postgresql-9.4_9.4.5-0+deb8u1~bpo70+1.dsc
b87c50c66b6ea42a9712b5f6284794fabad0616e6ae420cf0f10523be6d94a39 17660960 postgresql-9.4_9.4.5.orig.tar.bz2
a62e1c0b4f7fd7b3aa9efc2fc02fa14fed579fc443d698e8c6764c060c1f4360 24847 postgresql-9.4_9.4.5-0+deb8u1~bpo70+1.debian.tar.gz
0ab7c8003af5be9452c81e67fa51731205503117e4098d6ff37ede9657af8d4b 160824 libpq-dev_9.4.5-0+deb8u1~bpo70+1_amd64.deb
1d0657f7f98cf8f127b9c9b8125a89fe0ed5a94a235a1b6e93e51490fd380c5f 122104 libpq5_9.4.5-0+deb8u1~bpo70+1_amd64.deb
9095680817633caf8835e1eb2ada58ceff350d8236bad851a1154a8a857f34b5 78692 libecpg6_9.4.5-0+deb8u1~bpo70+1_amd64.deb
2fcdbef3ad5ce9380602835759687c6d931b1c57feadf83c8666390a9bba67db 218242 libecpg-dev_9.4.5-0+deb8u1~bpo70+1_amd64.deb
e58f0c108e1e1560118369beedcc949eb965cdf5ebfb3452efd963fbf18ae68e 14652 libecpg-compat3_9.4.5-0+deb8u1~bpo70+1_amd64.deb
62a761048b8b2dae74494687dab9b93e5ea3da54d3b46fbc6408c5a84f44fc39 36324 libpgtypes3_9.4.5-0+deb8u1~bpo70+1_amd64.deb
0befda642884b00878d0298bc731b1e2fb8e63680f3a1cac04084967bc848c6e 3657650 postgresql-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
784f44515f97712b2e3cac0fe3ccdba77aac0d5c9186e0165707290faaabbbf5 12407872 postgresql-9.4-dbg_9.4.5-0+deb8u1~bpo70+1_amd64.deb
e05cdfe1c3c90d7c1e4e21518e7ab3495ca26ab957f1c42f562e13e640b8e88a 1072670 postgresql-client-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
b7d90a15f44f27caf461cdbf4f270cf197650c27bae1ec3076b2778179c78189 635426 postgresql-server-dev-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
01edbf1aa4aa67d2525e347776dfe26e529773df6ddc4ab68e534c942fb2ddea 1826962 postgresql-doc-9.4_9.4.5-0+deb8u1~bpo70+1_all.deb
1470f4d8c54062c9c1d78f366b32e9074d086f6c132bfcbbad292a9297850cd7 438004 postgresql-contrib-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
95c98d5663631125ed33fef5e8416092ef137d9dea3c0fb77517dd725af68b6b 54554 postgresql-plperl-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
42879502b39cc61599f1999510f8102ad05d9ebca054602b8b69280ce620902a 43668 postgresql-plpython-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
f120e368257f048df17caa050973efe8bcb10556a2e51b7015ed35f9168d3c42 43768 postgresql-plpython3-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
f92bd38b0ef775200a4a3ad3e5eedd451ed0dc6e074eb901260d8ff5144f1da0 29446 postgresql-pltcl-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
Files:
0bdb680820a15a4730ab274bf079839d 3417 database optional postgresql-9.4_9.4.5-0+deb8u1~bpo70+1.dsc
8b2e3472a8dc786649b4d02d02e039a0 17660960 database optional postgresql-9.4_9.4.5.orig.tar.bz2
d2bc658dfb91c30985e9c630cfe75049 24847 database optional postgresql-9.4_9.4.5-0+deb8u1~bpo70+1.debian.tar.gz
b2cc095a0aa6630f53d84e343cdb6ab7 160824 libdevel optional libpq-dev_9.4.5-0+deb8u1~bpo70+1_amd64.deb
4976e41aef6c0ca3aae1b5a3787566df 122104 libs optional libpq5_9.4.5-0+deb8u1~bpo70+1_amd64.deb
acaeb18e18e01ca4d9db8b8b79dd5121 78692 libs optional libecpg6_9.4.5-0+deb8u1~bpo70+1_amd64.deb
83498454840cfccd17e5e5983c43617b 218242 libdevel optional libecpg-dev_9.4.5-0+deb8u1~bpo70+1_amd64.deb
0d1abb87d7753da17203f07f6440010a 14652 libs optional libecpg-compat3_9.4.5-0+deb8u1~bpo70+1_amd64.deb
81f09f5e826075ef1f4afc166c8443a2 36324 libs optional libpgtypes3_9.4.5-0+deb8u1~bpo70+1_amd64.deb
681cbc65be45866b4a4515a19e41bba9 3657650 database optional postgresql-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
ce7e31551042a9455c58a5c5bf3a56c8 12407872 debug extra postgresql-9.4-dbg_9.4.5-0+deb8u1~bpo70+1_amd64.deb
df93389dfe548e728c2b8d4bc752f2e0 1072670 database optional postgresql-client-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
357aecf7f0350804bf43ca0b7e26384a 635426 libdevel optional postgresql-server-dev-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
e13b0fce251cb95c1ba203dea3795da6 1826962 doc optional postgresql-doc-9.4_9.4.5-0+deb8u1~bpo70+1_all.deb
211c238f7f9b7ad089e04e3772f03e1b 438004 database optional postgresql-contrib-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
39b9a3c68f4c980aecb04de76fd64acf 54554 database optional postgresql-plperl-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
cabf27310e2279f7df47e3c9e0cc3287 43668 database optional postgresql-plpython-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
3b4d9d221cb615cc857a6117b1e820bd 43768 database optional postgresql-plpython3-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
fce11983ade0c8623dc36af9f23418ab 29446 database optional postgresql-pltcl-9.4_9.4.5-0+deb8u1~bpo70+1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWVIjdAAoJEExaa6sS0qeux/8P/RVGHarcPbiZoT+2IWNDEnlJ
gaLgUYYD0EakXADlZNlp1U+KM3mIjf3SU4xZYyKJyEdfb3pTKaIJfq9P6G+u1I1P
hcrWoQtuoKPNFaxRaprmqWn0APBKYbyDxSvMhp2jaxxdunxXt0pX1ISkAkUBznuQ
elhT1ycsGZz9kwqqGMTzA7KMBk9WIghzFHyEH95ZEYNvSCbk2JtXewAo4NbI28wf
/ilJs6RjbdkC4tHFxePuNnz7GFXL1Q8MOj/4+EOOFtDsJTAsORxHyGjzt+ofUows
N0Zmrxjf2qb5yvVr7LHP3suVauDT+LlYGZni341Q4tRrGmtIcksxc1RWSrKp8dLj
0NpiPOyJ8r/zs+EP1RhGMo4tmrMdM3PktzQo3gHFVVg+19shnAHvNYZW9zn09//9
2pm4V0iKGfuQ2eDXnGnkm7BtckTV0qc9hG60KJOoLYDULStGhPbdLABajkMQHdii
r6s9EHFoy1mG13Kl8M4xCSrwazAy1Mm81oWanoFdJV5cYFjP95A4vF6duubeYWG9
noKHYexPtEtu5aewRyS4Pxtk+J7dvrPbPR8/lTBq/X+X8CMZCXSS1+pkyV+FN+k4
5JSzCGlHdww5jl09MRmw0/z4LkoEr3kPTg+lGHCkCZEnjTlQdh77nHHr92O2ZULM
CC7xu71U53mqZBqOccwz
=DWX9
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the Pkg-postgresql-public
mailing list