Hi,
I just uploaded postgresql-11_11.19-0+deb10u1 to buster-security. If
someone could pick that up for the paperwork part, that would be nice.
postgresql-11 (11.19-0+deb10u1) buster-security; urgency=medium
* New upstream version.
+ libpq can leak memory contents after GSSAPI transport encryption
initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a
not-zero-terminated error message during setup of GSSAPI (Kerberos)
transport encryption. libpq will then copy that string, as well as
following bytes in application memory up to the next zero byte, to its
error report. Depending on what the calling application does with the
error report, this could result in disclosure of application memory
contents. There is also a small probability of a crash due to reading
beyond the end of memory. Fix by properly zero-terminating the server
message. (CVE-2022-41862)
-- Christoph Berg <m...@debian.org> Tue, 07 Feb 2023 17:14:48 +0100
Thanks,
Christoph
