-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 May 2019 12:51:42 +0200 Source: postgresql-9.6 Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.6 postgresql-9.6-dbg postgresql-client-9.6 postgresql-server-dev-9.6 postgresql-doc-9.6 postgresql-contrib-9.6 postgresql-plperl-9.6 postgresql-plpython-9.6 postgresql-plpython3-9.6 postgresql-pltcl-9.6 Architecture: amd64 Version: 9.6.13-0+deb9u1 Distribution: stretch-security Urgency: medium Maintainer: amd64 Build Daemon (binet) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 9.6 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-9.6 - object-relational SQL database, version 9.6 server postgresql-9.6-dbg - debug symbols for postgresql-9.6 postgresql-client-9.6 - front-end programs for PostgreSQL 9.6 postgresql-contrib-9.6 - additional facilities for PostgreSQL postgresql-doc-9.6 - documentation for the PostgreSQL database management system postgresql-plperl-9.6 - PL/Perl procedural language for PostgreSQL 9.6 postgresql-plpython-9.6 - PL/Python procedural language for PostgreSQL 9.6 postgresql-plpython3-9.6 - PL/Python 3 procedural language for PostgreSQL 9.6 postgresql-pltcl-9.6 - PL/Tcl procedural language for PostgreSQL 9.6 postgresql-server-dev-9.6 - development files for PostgreSQL 9.6 server-side programming Changes: postgresql-9.6 (9.6.13-0+deb9u1) stretch-security; urgency=medium . * New upstream version. + Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed) . Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130) . * Move maintainer address to tracker. Checksums-Sha1: cf120c253955fb5d4303f8c3c0327c9784ba6999 18608 libecpg-compat3_9.6.13-0+deb9u1_amd64.deb 742ebefae2938a17ab8d7d6f298f18d7b20dfd26 229754 libecpg-dev_9.6.13-0+deb9u1_amd64.deb 2caaafd93ced42422302a2a537a87a7e1df16347 85380 libecpg6_9.6.13-0+deb9u1_amd64.deb dc2f12d817bd1856d4c6a4905d416cee6dc585d3 40862 libpgtypes3_9.6.13-0+deb9u1_amd64.deb 1820822539007b1a85bd648f6fec4ad9e68c06fe 215968 libpq-dev_9.6.13-0+deb9u1_amd64.deb 183f862eed4e89bb4f43a14462624c3bc8686d7a 136392 libpq5_9.6.13-0+deb9u1_amd64.deb bcf59fabd4a19d3bf4be0de99592fa97679d2674 16243418 postgresql-9.6-dbg_9.6.13-0+deb9u1_amd64.deb 716b202c89c5bb9a2f8b42bf30545500264bc492 13130 postgresql-9.6_9.6.13-0+deb9u1_amd64.buildinfo 62b0b26ed79dd561a686351318f12953566193ca 4292586 postgresql-9.6_9.6.13-0+deb9u1_amd64.deb 0ad8e2ca0c7ce901a7c6bbff447e366f925f64db 1278032 postgresql-client-9.6_9.6.13-0+deb9u1_amd64.deb 2e900b6983638f00dfc81e2f7b3cbf2554695042 500200 postgresql-contrib-9.6_9.6.13-0+deb9u1_amd64.deb f1f42024e42936da74008a5eeb77e695aeafa6d8 61648 postgresql-plperl-9.6_9.6.13-0+deb9u1_amd64.deb f8d93fe158c3e17d5982ffb4cbbc63a8a7478ab6 53064 postgresql-plpython-9.6_9.6.13-0+deb9u1_amd64.deb 18b16d685591b54a5f5b339ae6deecaef6d67011 51608 postgresql-plpython3-9.6_9.6.13-0+deb9u1_amd64.deb 8bd1280cd555e76f08fab4a0c76941c47f17fcd5 40548 postgresql-pltcl-9.6_9.6.13-0+deb9u1_amd64.deb 32a50bd013d5702e9108f7bd793d44d3f01803a2 770014 postgresql-server-dev-9.6_9.6.13-0+deb9u1_amd64.deb Checksums-Sha256: 80cc58950fc1aca09a4bd97b39474460a7be47e6e8af854db4ae4ed883e840d0 18608 libecpg-compat3_9.6.13-0+deb9u1_amd64.deb ef5b3659358369719a1645db56bcb5e95311fad607c429a76dd0deb49ebf80a1 229754 libecpg-dev_9.6.13-0+deb9u1_amd64.deb 4e10b4dea20549000765f1187d7370405779c9280fee9e1b112494e685b15f81 85380 libecpg6_9.6.13-0+deb9u1_amd64.deb c20bb6cec42c6f0aa2da34bd30c6121ff2411044b066660fb8fa6679329f5b28 40862 libpgtypes3_9.6.13-0+deb9u1_amd64.deb 8594897cf0b1b96020bbc91a645f43e7bb8a0c0a3fbb584059f253689b493faf 215968 libpq-dev_9.6.13-0+deb9u1_amd64.deb f4e611a2efe0f818c344e8859c9419897a0c3d38d581d83f4af21873df0ae474 136392 libpq5_9.6.13-0+deb9u1_amd64.deb 7c9823e36a710332611ca3b7943a471d2a569353c3b015ff84297e08d22de4b3 16243418 postgresql-9.6-dbg_9.6.13-0+deb9u1_amd64.deb 1c2bcee29925bc0f05f7ea8a57036e1e28af7b2746ed763c99406ed3dff5d8ac 13130 postgresql-9.6_9.6.13-0+deb9u1_amd64.buildinfo c3a7fcee0fd69b5b53828d28d20146a07a0abeafd89dd0f34aff71faf51d3c7b 4292586 postgresql-9.6_9.6.13-0+deb9u1_amd64.deb 4b618afc31e6b8f99fb9a6ebf55d2e6afef66d99543c01743caaeb5add5f00d1 1278032 postgresql-client-9.6_9.6.13-0+deb9u1_amd64.deb c3cf56f8b0bdb3e2e367acc0ec9cb58bed7d640c7b6667f26b1c7e93e6e51956 500200 postgresql-contrib-9.6_9.6.13-0+deb9u1_amd64.deb e94bcd3b59de1c5113022860fce2ba6d5e5c9cd3faf2dfc4f0d55672658b5f01 61648 postgresql-plperl-9.6_9.6.13-0+deb9u1_amd64.deb bff39c4675ea47c2b625ae1e2aeb9c6fe1ad780a3d5685602799dd3fe6af3f7d 53064 postgresql-plpython-9.6_9.6.13-0+deb9u1_amd64.deb 21c5ee27098b521b4d4e5f5688824afc3abf96326e4dac0317f47b2bd34758c3 51608 postgresql-plpython3-9.6_9.6.13-0+deb9u1_amd64.deb 617e28c101f2d3553d54942b787548c801d0ebbeeac395c423f4b7aef4abb674 40548 postgresql-pltcl-9.6_9.6.13-0+deb9u1_amd64.deb 8ee7a5a5eaadac5b33a311d7cf3b34d2280a31089a998cf9ff7f3bc22404d531 770014 postgresql-server-dev-9.6_9.6.13-0+deb9u1_amd64.deb Files: 787edc7572711917b46164886427fc59 18608 libs optional libecpg-compat3_9.6.13-0+deb9u1_amd64.deb b7a5176ca45bb127212104e077cc85cb 229754 libdevel optional libecpg-dev_9.6.13-0+deb9u1_amd64.deb 298de30c93ff8c8e5b2769386f4b7df9 85380 libs optional libecpg6_9.6.13-0+deb9u1_amd64.deb 389ea25b8971b7fe516bbf5e42479b50 40862 libs optional libpgtypes3_9.6.13-0+deb9u1_amd64.deb 0de13c1f8642d3dd2efa09cefd30bf56 215968 libdevel optional libpq-dev_9.6.13-0+deb9u1_amd64.deb 42d6307d80c6fe2d06e6380dc75f6342 136392 libs optional libpq5_9.6.13-0+deb9u1_amd64.deb dc22f16b807aca9d539ebd61cae00f89 16243418 debug extra postgresql-9.6-dbg_9.6.13-0+deb9u1_amd64.deb d0b9dde184169c1d8c39dfa3f8475c74 13130 database optional postgresql-9.6_9.6.13-0+deb9u1_amd64.buildinfo 325773a9a2304b49aa72de56f9d3435d 4292586 database optional postgresql-9.6_9.6.13-0+deb9u1_amd64.deb 996eb10eb0005475015a315abfd211f8 1278032 database optional postgresql-client-9.6_9.6.13-0+deb9u1_amd64.deb 0a624cdf0e20fcf169e79a1580b5b9c3 500200 database optional postgresql-contrib-9.6_9.6.13-0+deb9u1_amd64.deb 9fb8312a2586cd741726cb5cbc90c111 61648 database optional postgresql-plperl-9.6_9.6.13-0+deb9u1_amd64.deb f02fb36a00efa36709de01f9de7c72d4 53064 database optional postgresql-plpython-9.6_9.6.13-0+deb9u1_amd64.deb a7f5b05d0147d0e82004b6579fd721d3 51608 database optional postgresql-plpython3-9.6_9.6.13-0+deb9u1_amd64.deb 7b861ccb5ef88c7d439c1da9e89da17e 40548 database optional postgresql-pltcl-9.6_9.6.13-0+deb9u1_amd64.deb 4996390794ae831c33d7d85949592965 770014 libdevel optional postgresql-server-dev-9.6_9.6.13-0+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHH/JmdSykanqZdkX2+6UAFDBS9EFAlzRgtMACgkQ2+6UAFDB S9H8DRAAtzla+cpQO4N8hdGaLL1wXUm35aWLnsHiN8hYu3yMksVQsJk8i5LFymoG QuNSd6kv+F0komB4STQtydKTGoFIF4HAvbzNZ0WJTJEF1UBf8y4qSw+NJZe2HBw6 OkLRfOy2Wx9ERWc3E601uywoBdsWM8KLdnj7S2i5m7Osu+H6+GpP7RT8GD34iCcF XtKmPsZBJ+8KKBjd5yge31l2hBhgVYgkaDQET6BehclIBiJz7la3+1i7QV2JtUP6 lkRvbTfZqwmITbSDbEcf1cC1CXxzIt9JV804yxWsUxVcQqXulnFCii1TQLCoEVES CdRDfvXnWV2f6CQ8a/Y+irIr9b3WaYBZVRIZLW/hXSbFEPw/e5CuOe6J0Vw2z3d7 C2YghQhi+9Gvvy8tlwyYBb7ANjWSQ9WZnD+Cow63iPKnimdBSuX/rO5YiXo90vuW FHYdMWXm+E+cZKvjHwofmBN/N0SzRICIaAbtp2Dhg/pU3zVoI03DaZdtAzVeO3ZC M6dazCNuZ1ctzZinxR71UgbX7mcKsSnpI4X5j6IcCDbiNlP1Mv1HOSrii4lbKZAQ uXV1ruGlMXLNaG/ZbmmFurU+uwW+LsjoUWYpdjmKAwVllJ1oThlRLUXOsGCTlz/z 2r8JPZZyoJchtRCCS4QzZfnFOKIap2gg46ByZxNHwv2XQFs9kJE= =AjER -----END PGP SIGNATURE-----