Hi,
I just uploaded 3 PostgreSQL security updates:
postgresql-15_15.5-0+deb12u1_source.changes
postgresql-13_13.13-0+deb11u1_source.changes
postgresql-11_11.22-0+deb10u1_source.changes
Unstable has been fixed in 16.1-1. (I don't intend to fix PG15 in
unstable, the package will be removed soon.)
Re: Utkarsh Gupta
> > I uploaded PostgreSQL 11 to buster. The same DSA for PG 13 went out a
> > few minutes ago. The PG 15 upload will happen now.
>
> Great, thank you. I'll prep the paperwork in sometime.
Thanks!
Christoph
> Distribution: buster-security
> Urgency: medium
> Maintainer: Debian PostgreSQL Maintainers
> Changed-By: Christoph Berg
> Changes:
> postgresql-11 (11.20-0+deb10u1) buster-security; urgency=medium
> .
>* New upstream version.
> .
> + Prevent CREATE
Re: Roberto C. Sánchez
> Thanks for doing the upload. I'll take care of the paperwork just now.
Thanks!
Christoph
end of memory. Fix by properly zero-terminating the server
message. (CVE-2022-41862)
-- Christoph Berg Tue, 07 Feb 2023 17:14:48 +0100
Thanks,
Christoph
reporting this problem.
-- Christoph Berg Thu, 11 Aug 2022 14:03:50 +0200
Thanks,
Christoph
Re: Sylvain Beucler
> Hello Christoph,
>
> According to the LTS files, you plan to take care of postgresql-9.6 security
> updates for stretch.
Hi Sylvain,
I had told the security team that I do *not* intend to updated 9.6 in
stretch. I guess that got noted incorrectly.
If anyone wants to pick t
Re: Utkarsh Gupta
> Hi Christoph,
>
> On Fri, Nov 12, 2021 at 1:47 PM Christoph Berg wrote:
> > could someone do the paperwork for
> > postgresql-9.6_9.6.24-0+deb9u1_source.changes ?
>
> Done both, the announcement and the website update. Thank you! \o/
Thanks!
Christoph
-
Hash: SHA256
Format: 1.8
Date: Tue, 17 Aug 2021 14:04:37 +0200
Source: postgresql-13
Architecture: source
Version: 13.5-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Changes:
postgresql-13 (13.5-0+deb11u1) bullseye
Re: Stefan Huehner
> Checking openssl / gnutls versions across releases:
> jessielibssl1.0.0 1.0.1t
> libgnutls-deb0-28 3.3.8
>
> stretch libssl1.0.2 1.0.2u
> libssl1.1 1.1.0l
> libg
Re: Utkarsh Gupta
> Hello,
>
> On Tue, Aug 31, 2021 at 7:18 PM Adam D. Barratt
> wrote:
> > I noticed that postgresql-9.6 got uploaded to stretch-lts late last
> > week, but there doesn't appear to have been a DLA issued for it yet.
> >
> > Is that already in progress?
>
> If not, I'll be happy
Package: postgresql-common
Version: 165+deb8u4
CVE ID : CVE-2019-3466
Rich Mirch discovered that the pg_ctlcluster script didn't drop
privileges when creating socket/statistics temporary directories, which
could result in local privilege escalation.
For the oldoldstable di
Package: postgresql-9.4
Version: 9.4.24-0+deb8u1
CVE ID : CVE-2019-10208
* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during
`SECURITY DEFINER` execution
Versions Affected: 9.4 - 11
Given a suitable `SECURITY DEFINER` function, an attacker can execute
arbi
Re: Holger Levsen 2019-05-16 <20190516183802.uryz4rr7enuwp...@layer-acht.org>
> > Or should we focus on a way to announce process
> > changes once every other year?
>
> a mail to d-d-a with subject 'bits from the lts team' with these and other
> changes would probably be a good idea.
A single mai
Re: Holger Levsen 2019-05-15 <20190515130831.qcgsaiig3bh3b...@layer-acht.org>
> Should we maybe put just this on a page called
> https://wiki.debian.org/LTS/Development/TLDR
> which then people can look at when they occasionally do a DLA?
>
> (and link to that TLDR page promininently from our oth
Re: Markus Koschany 2018-08-18 <6056c156-4936-2dd9-77ef-57fc50dca...@debian.org>
> Do you prefer that we take care of it or shall we mark 9.1 as EOL and
> recommend to upgrade to 9.4 instead?
As Moritz already noted 9.1 is the upgrade-only version, i.e. to help
users upgrade to Stretch.
Christoph
Re: Brian May 2018-03-07 <87a7vk9yhn@prune.linuxpenguins.xyz>
> > jessie's postgresql-9.1 package is shipping a single binary package
> > only, postgresql-plperl-9.1. (Check the jessie release notes for the
> > rationale.) plperl is not affected by the changes as far as I can tell
> > by inspec
Re: Brian May 2018-03-04 <87tvtva5r4@prune.linuxpenguins.xyz>
> Christoph Berg writes:
>
> > + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie is
> > PL/Perl only)
>
> Hello,
>
> What did you mean by "jessie is PL/Perl only"?
Hi Brian
Package: postgresql-9.1
Version: 9.1.24lts2-0+deb7u2
CVE ID : CVE-2018-1053
A vulnerabilities has been found in the PostgreSQL database system:
CVE-2018-1053
Tom Lane discovered that pg_upgrade, a tool used to upgrade
PostgreSQL database clusters, creates temporar
Re: Salvatore Bonaccorso 2017-11-10
<20171110201118.wgv257pqulnzsdbg@eldamar.local>
> Christoph Berg has uploaded a version for postgresql-common to address
> CVE-2017-8806 as well for wheezy.
>
> https://lists.debian.org/debian-lts-changes/2017/11/msg00012.html
>
> If
Re: Raphael Hertzog 2017-06-20 <20170620162214.kxf3y2ksrxkai...@home.ouaza.com>
> That said the wheezy users would most certainly benefit from a fixed
> package and it looks like the issues have all been fixed in 1.5.0 and
> 1.5.1 so it should be possible to apply upstream fixes.
Last time I check
Am 28. Mai 2017 16:11:47 MESZ schrieb Thorsten Alteholz :
>Hi Christoph,
>
>ok, thanks for the clarification.
>
>On Wed, 24 May 2017, Christoph Berg wrote:
>> postgresql-9.1 in wheezy is affected from my understanding of when
>> pg_user_mappings was introduced.
>
Re: Ola Lundqvist 2017-05-21
> Hi Thorsten
>
> I had a look into this and I'm not sure both statements are correct for
> Jessie.
>
> For CVE-2017-7486 I think the information in Jessie is wrong. The
> patched code is definitely there in wheezy at least. But maybe it is
> not triggered for some
Re: Ola Lundqvist 2016-12-20 <20161220215504.ga24...@inguza.net>
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of postgresql-common:
> https://security-tracker.debian.org/tracker/CVE-2016-1255
>
> Would y
Re: Raphael Hertzog 2016-09-09 <20160909091924.oy6leplmaoqmf...@home.ouaza.com>
> Hi Ivan,
>
> On Thu, 08 Sep 2016, Ivan Kohler wrote:
> > We should make arrangements to have PostgreSQL internals expertise
> > available, in the contingency that we need to do our own backport of any
> > critical
Re: Guido Günther 2016-08-10 <20160810170325.ga5...@bogon.m.sigxcpu.org>
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of postgresql-9.1:
That's actually already done, I'll post the LTS announcement tomor
he time to fix the problem.
The builds are now ok and should be available on the mirrors later
today.
Mit freundlichen Grüßen,
Christoph Berg
--
Senior Berater, Tel.: +49 (0)21 61 / 46 43-187
credativ GmbH, HRB Mönchengladbach 12080, USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbac
Package: postgresql-8.4
Version: 8.4.22lts5-0+deb6u2
The 8.4.22lts5-0+deb6u1 update failed to build on the i386
architecture because the regression tests were not correctly adapted
for changes in lts5. This has now been corrected, updated binaries for
i386 and amd64 (which were una
Re: Santiago Ruano Rincón 2015-10-08 <20151008161110.GA2567@nomada>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of postgresql-8.4:
> https://security-tracker.debian.org/tracker/CVE-2015-5288
> https://security-tracker.debian.org/trac
Package: postgresql-8.4
Version: 8.4.22lts4-0+deb6u1
Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains the fixes that were applied upstream to
Re: Raphael Hertzog 2015-05-26 <20150526161956.ga9...@home.ouaza.com>
> Hello Christoph,
>
> the Debian LTS team recently reviewed the security issue(s) affecting your
> package in Squeeze:
> https://security-tracker.debian.org/tracker/CVE-2015-4054
Hi,
I had thought about providing a package th
31 matches
Mail list logo
