Your message dated Fri, 10 May 2019 22:11:46 +0200
with message-id <[email protected]>
and subject line Re: unblock: postgresql-11/11.3-1
has caused the Debian Bug report #928719,
regarding unblock: postgresql-11/11.3-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928719
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package postgresql-11. The new version fixes two
security bugs, and various other issues. (This is a new upstream minor
release, which would have pushed by the security team if buster was
already released.)
unblock postgresql-11/11.3-1
Christoph
postgresql-11 (11.3-1) unstable; urgency=medium
* New upstream version.
+ Prevent row-level security policies from being bypassed via selectivity
estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined
operators to values found in pg_statistic (e.g., most-common values).
A leaky operator therefore can disclose some of the entries in a data
column, even if the calling user lacks permission to read that column.
In CVE-2017-7484 we added restrictions to forestall that, but we failed
to consider the effects of row-level security. A user who has SQL
permission to read a column, but who is forbidden to see certain rows
due to RLS policy, might still learn something about those rows'
contents via a leaky operator. This patch further tightens the rules,
allowing leaky operators to be applied to statistics data only when
there is no relevant RLS policy. (CVE-2019-10130)
+ Avoid access to already-freed memory during partition routing error
reports (Michael Paquier)
This mistake could lead to a crash, and in principle it might be
possible to use it to disclose server memory contents. (CVE-2019-10129)
-- Christoph Berg <[email protected]> Tue, 07 May 2019 12:04:34 +0200
--- End Message ---
--- Begin Message ---
Hi Christoph,
On Thu, 9 May 2019 17:19:20 +0200 Christoph Berg <[email protected]> wrote:
> unblock postgresql-11/11.3-1
Unblocked, thanks.
Paul
signature.asc
Description: OpenPGP digital signature
--- End Message ---
