postgresql-9.4 (9.4.26-0+deb8u5) jessie-security; urgency=high * Non-maintainer upload by the ELTS Security Team. * CVE-2021-23214: server processes unencrypted bytes from man-in-the-middle - when the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. * CVE-2021-23222: libpq processes unencrypted bytes from man-in-the-middle - a man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. -- Sylvain Beucler Wed, 17 Nov 2021 21:10:02 +0100 postgresql-9.4 (9.4.26-0+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the ELTS Security Team. * CVE-2020-25694: if a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist * CVE-2020-25695: an attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser * CVE-2020-25696: if an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql * CVE-2021-32027: while modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory -- Sylvain Beucler Thu, 09 Sep 2021 10:26:17 +0200 postgresql-9.4 (9.4.26-0+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the ELTS Team. * debian/rules: specify LANG=C.UTF-8 to prevent test suite failure on ELTS build hosts. -- Roberto C. Sanchez Tue, 25 Aug 2020 23:07:47 -0400 postgresql-9.4 (9.4.26-0+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the ELTS Team. * Fix CVE-2020-14350: an uncontrolled search path could allow users to run arbitrary SQL functions with elevated priviledges when a superuser runs certain `CREATE EXTENSION' statements. -- Roberto C. Sanchez Sat, 22 Aug 2020 17:34:47 -0400 postgresql-9.4 (9.4.26-0+deb8u1) jessie-security; urgency=medium * New upstream version. + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720) * This is the last release of the 9.4 series. Please upgrade to a newer PostgreSQL major version. -- Christoph Berg Tue, 11 Feb 2020 15:03:00 +0100 postgresql-9.4 (9.4.25-0+deb8u1) jessie-security; urgency=medium * New upstream version. This is the next-to-last release of the 9.4 series. Please upgrade to a newer PostgreSQL major version. * Register debconf templates in postinst. (Closes: #935759) -- Christoph Berg Mon, 18 Nov 2019 11:49:49 +0100 postgresql-9.4 (9.4.24-0+deb8u1) jessie-security; urgency=medium * New upstream security release. + Fixes regression in ALTER TABLE on multiple columns. (Closes: #932247) + Require schema qualification to cast to a temporary type when using functional cast syntax (Noah Misch) We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208) * Move maintainer address to tracker. * On purge, ask the user if they want to remove clusters. (Closes: #911940, #933368) -- Christoph Berg Thu, 08 Aug 2019 16:53:00 +0200 postgresql-9.4 (9.4.22-0+deb8u1) jessie-security; urgency=medium * New upstream version. -- Christoph Berg Thu, 09 May 2019 10:04:31 +0200 postgresql-9.4 (9.4.21-0+deb8u1) jessie-security; urgency=medium * New upstream version. * Revert upstream patch "Disallow setting client_min_messages higher than ERROR", it causes to much disruption to existing (test) scripts. -- Christoph Berg Mon, 18 Feb 2019 12:00:44 +0100 postgresql-9.4 (9.4.20-0+deb8u1) jessie-security; urgency=medium * New upstream version. -- Christoph Berg Fri, 25 Jan 2019 09:12:38 +0100 postgresql-9.4 (9.4.19-0+deb8u1) jessie-security; urgency=medium * New upstream version. + Fix failure to reset libpq's state fully between connection attempts An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915) * Add new pgtypes header and symbol. -- Christoph Berg Mon, 06 Aug 2018 16:14:28 +0200 postgresql-9.4 (9.4.18-0+deb8u1) jessie; urgency=medium * New upstream version. + Fix incorrect volatility markings on a few built-in functions. -- Christoph Berg Tue, 08 May 2018 20:37:04 +0200 postgresql-9.4 (9.4.17-0+deb8u1) jessie; urgency=medium * New upstream version. If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. + Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) + Avoid use of insecure search_path settings in pg_dump and other client programs pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) -- Christoph Berg Tue, 27 Feb 2018 13:20:22 +0100 postgresql-9.4 (9.4.16-0+deb8u1) jessie; urgency=medium * New upstream version. + Ensure that all temporary files made by pg_upgrade are non-world-readable (CVE-2018-1053) -- Christoph Berg Thu, 08 Feb 2018 10:34:39 +0100 postgresql-9.4 (9.4.15-0+deb8u1) jessie-security; urgency=medium * New upstream version. + Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane) These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098) -- Christoph Berg Wed, 08 Nov 2017 15:27:38 +0100 postgresql-9.4 (9.4.14-0+deb8u1) jessie; urgency=medium * New upstream bugfix release. -- Christoph Berg Thu, 05 Oct 2017 10:47:27 +0200 postgresql-9.4 (9.4.13-0+deb8u1) jessie-security; urgency=medium * New upstream security release. + Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. See the release notes for instructions for applying the fix to existing database clusters. (CVE-2017-7547; extends fix for CVE-2017-7486) + Disallow empty passwords in all password-based authentication methods. (CVE-2017-7546) + Make lo_put() check for UPDATE privilege on the target large object. (CVE-2017-7548) -- Christoph Berg Thu, 10 Aug 2017 14:37:53 +0200 postgresql-9.4 (9.4.12-0+deb8u1) jessie-security; urgency=medium * New upstream security release. + Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (CVE-2017-7486) + Prevent exposure of statistical information via leaky operators (CVE-2017-7484) + Restore libpq's recognition of the PGREQUIRESSL environment variable (CVE-2017-7485) -- Christoph Berg Tue, 09 May 2017 17:00:48 +0200 postgresql-9.4 (9.4.11-0+deb8u2) jessie; urgency=medium * Paper over ULP regression test differences in the "point" test on 32-bit powerpc on Debian Jessie. The very same code worked previously and in fact continues to work on Debian Sid, so it doesn't seem to be PostgreSQL's fault that these test results now suffer from rounding differences. -- Christoph Berg Mon, 20 Feb 2017 16:04:26 +0100 postgresql-9.4 (9.4.11-0+deb8u1) jessie; urgency=medium * New upstream version. + Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane) If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows inserted or updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update. -- Christoph Berg Thu, 09 Feb 2017 15:24:57 +0100 postgresql-9.4 (9.4.10-0+deb8u1) jessie; urgency=medium * New upstream version. If your installation has been affected by the bug described in the first changelog entry below, then after updating you may need to take action to repair corrupted free space maps. + Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas) It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like could not read block XXX: read only 0 of 8192 bytes. Checksum failures in the visibility map are also possible, if checksumming is enabled. Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems. -- Christoph Berg Wed, 16 Nov 2016 15:39:27 +0100 postgresql-9.4 (9.4.9-0+deb8u1) jessie-security; urgency=medium * New upstream security release. + Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane) A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423) + Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier) Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout. Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation. Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts. pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet. These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424) -- Christoph Berg Wed, 10 Aug 2016 13:36:18 +0200 postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium * New upstream bugfix release. -- Christoph Berg Fri, 27 May 2016 14:29:53 +0200 postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium * New upstream bugfix release. * Remove obsolete .bzr-builddeb/default.conf. -- Christoph Berg Sat, 02 Apr 2016 13:22:58 +0200 postgresql-9.4 (9.4.6-0+deb8u1) jessie-security; urgency=medium * New upstream version. + Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) + Fix privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCs) for PL/Java will now be modifiable only by the database superuser. (CVE-2016-0766) + Users will need to reindex any jsonb_path_ops indexes they have created, in order to fix a persistent issue with missing index entries. -- Christoph Berg Thu, 11 Feb 2016 15:17:44 +0100 postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium * New upstream security release. + Guard against stack overflows in json parsing (Oskari Saarenmaa) If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289) + Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt) Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288) -- Christoph Berg Thu, 08 Oct 2015 14:24:00 +0200 postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium * New upstream version. + Fix possible failure to recover from an inconsistent database state + Fix rare failure to invalidate relation cache init file -- Christoph Berg Thu, 11 Jun 2015 20:35:19 +0200 postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium * New upstream version: Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane; Closes: #786874) -- Christoph Berg Wed, 03 Jun 2015 11:53:43 +0200 postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium * New upstream version. + Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila) If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165) + Improve detection of system-call failures (Noah Misch) Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure. It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166) + In contrib/pgcrypto, uniformly report decryption failures as Wrong key or corrupt data (Noah Misch) Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167) + Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro) Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound. * Repository moved to git, update Vcs headers. -- Christoph Berg Thu, 21 May 2015 15:58:30 +0200 postgresql-9.4 (9.4.1-1) unstable; urgency=medium * New upstream version. + libpq5: Name lookups fixed in minimal chroots (Closes: #756627) + Fix buffer overruns in to_char() (CVE-2015-0241) + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243) + Fix possible loss of frontend/backend protocol synchronization after an error (CVE-2015-0244) + Fix information leak via constraint-violation error messages (CVE-2014-8161) -- Christoph Berg Wed, 04 Feb 2015 17:55:28 +0100 postgresql-9.4 (9.4.0-1) unstable; urgency=medium * 9.4 released. * libpq5.symbols: PQhostaddr removed; it was new in 9.4. -- Christoph Berg Wed, 17 Dec 2014 22:21:22 +0100 postgresql-9.4 (9.4~rc1-1) unstable; urgency=medium * First 9.4 RC release. * Update psql call in dump-reload instructions. * Reenable 010_pg_basebackup.t tests, fixed upstream. -- Christoph Berg Tue, 18 Nov 2014 09:49:04 +0100 postgresql-9.4 (9.4~beta3-3) unstable; urgency=medium * Temporarily disable failing test in 010_pg_basebackup.t. -- Christoph Berg Thu, 16 Oct 2014 09:32:06 +0200 postgresql-9.4 (9.4~beta3-2) unstable; urgency=medium * postgresql-9.4.preinst: Output detailed dump-reload instructions when refusing the package upgrade, and also add a NEWS item about it. (Closes: #764705) * Add libipc-run-perl for the regression tests which otherwise skip large parts. * Update Standards-Version. -- Christoph Berg Wed, 15 Oct 2014 19:44:43 +0200 postgresql-9.4 (9.4~beta3-1) unstable; urgency=medium * New upstream beta version. + Catalog version number changed, older 9.4 clusters need to be dumped and reloaded. + Regexp regression fixed. (Closes: #760564) + CACHE_LINE_SIZE definition renamed to mitigate conflict on *BSD. (Closes: #763098) [ Martin Pitt ] * Add missing logrotate test dependency. [ Christoph Berg ] * Set Multi-Arch: foreign in postgresql-client-9.4 and postgresql-doc-9.4. (Closes: #757520; do it even on non-multiarch dists, it doesn't hurt.) * Fix postgresql_fdw in description, spotted by Zack Weinberg, thanks! (Closes: #762389) -- Christoph Berg Tue, 07 Oct 2014 20:39:57 +0200 postgresql-9.4 (9.4~beta2-1) unstable; urgency=low * New upstream beta version. + Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. * postgresql-9.4.preinst: Fail upgrade when upgrading from beta1, the catalog version changed. People should dump/remove their old clusters first. * Use util-linux' uuid lib as backend for the uuid-ossp extension (--with-uuid=e2fs). * Enable sepgsql (--with-selinux). On systems with libselinux1-dev < 2.1.10, this is automatically disabled. * Revert multiarch for libpq-dev and libecpg-dev. (Closes: #750111, #750112) * Remove our pg_regress patches to support --host=/path. Implemented upstream as fix for CVE-2014-0067. * debian/copyright: Say that there are various copyright holders for the contrib modules. (Hello Lintian!) * Update Vcs URLs. -- Christoph Berg Mon, 21 Jul 2014 22:26:24 +0200 postgresql-9.4 (9.4~beta1-2) experimental; urgency=medium * Update watch file for 9.4. * Enable multiarch support in libpq and friends. (Closes: #706849) Support is automatically disabled when the distribution does not support it. * Stop providing postgresql-dbg in postgresql-9.4-dbg. Its only purpose was to conflict with other postgresql-*-dbg packages, and that's no longer needed with build-id debug symbols. * Skip -pie on 32bit archs for performance and stability reasons. Closes: #749686; details at http://www.postgresql.org/message-id/20140519115318.GB7296@msgid.df7cb.de * Update contrib copyright statements, and move them to a separate file. Thanks to Thorsten Alteholz for reviewing the package. -- Christoph Berg Fri, 30 May 2014 20:09:50 +0200 postgresql-9.4 (9.4~beta1-1) experimental; urgency=low * Update for 9.4. Packaging based on 9.3 branch. * Bump to debhelper 9 to get debug symbol files based on build-ids. -- Christoph Berg Mon, 12 May 2014 22:08:37 +0200