-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 May 2019 12:51:42 +0200 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: all Version: 9.6.13-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: all Build Daemon (x86-csail-02) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.13-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed) . Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130) . * Move maintainer address to tracker. Checksums-Sha1: 2a4ebb71b37b1b1cbf95a271f1378ce869b80414 9028 postgresql-9.6_9.6.13-0+deb9u1_all.buildinfo 9e350fba24fc05e4fa3bd7203682ca687ce1e925 1662278 postgresql-doc-9.6_9.6.13-0+deb9u1_all.deb Checksums-Sha256: de8f89c1b395df6e993e0cff78969439aff12192c94a3f93a6d983a0e92fe8f5 9028 postgresql-9.6_9.6.13-0+deb9u1_all.buildinfo a88ceb29e25f11ca0eb3f2c1911909edaba999a16ea45e1f342c612de02dc432 1662278 postgresql-doc-9.6_9.6.13-0+deb9u1_all.deb Files: 8fbf7eb51c7a2b287bb7de50b47213ca 9028 database optional postgresql-9.6_9.6.13-0+deb9u1_all.buildinfo 9e6b77b9d65c7394011977808de23aba 1662278 doc optional postgresql-doc-9.6_9.6.13-0+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEDxUushKJ39ldCqDnAY87dXAcGaQFAlzRe/UACgkQAY87dXAc GaS1jw/+ORUCoTZfzZt+HCYRC7XpbPn7FgBOL+Uzk6PeTjvC9lD4Xlul/S/hJw9/ 5ZzL96Y+Q2gAS3aQBH68haW6ib12cFtinI8S09SCmKja2mHEXvld+6OaffBzWlEh aUMwocEoWKzzPEuS6iwHPR1yx5W8avsV07dmtNjhShVAxeXOcnM5cu6IQt6AJwIs brLmvhG+X31Ob/dujMg8enuudgMMg85+urw+j23PzN/8mqF2AvOMcHlv1yaDg6/p Dc7rutfl0PdCUeOzacRskoi7sBhstu8QzCdOMY1GxlLjjKohNvCs6NYM6xL+fEuX lmM/lKDVMOx/GZo5xQjlcXTRRLAUyG+GNpn6SMiuNHm0UjXo7TRODBRuwi6MQJvp OH4LT4mvidKwJfeu3HicV5PSfThS/tMMoOvYtn6aTVsMFN1sD8Ty/n6Bbb5s/kA1 E6HE1Za6WKc5wO0EgKfLsYPLk8xF6vPzzHIWMlCdpPQserKONdOiW52yjp2NgRiQ EURN1qjaP3h/Q7J3uPK7GgP0ZgkhYF89Y3cVv/dl7QYyU1WqiVe8sR/Fa81re303 Hja80n6hZl2gnNOtTSPWenhn8ivUMCf6mFF6GeIZ4M/yA05qIOcT7S3WXhFzhBPl 1Uw9sdPXutuMubyVLUGj1Xi7+gNxy7BtgxN5GWSniF1l+hsQGI8= =tNVY -----END PGP SIGNATURE-----