Package: postgresql-8.4
Version: 8.4.22lts4-0+deb6u1
Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains the fixes that were applied upstream to
...@lists.alioth.debian.org
Changed-By: Christoph Berg christoph.b...@credativ.de
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3
Package: postgresql-8.4
Version: 8.4.22lts4-0+deb6u1
Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains the fixes that were applied upstream to
Package: postgresql-8.4
Version: 8.4.22lts5-0+deb6u2
The 8.4.22lts5-0+deb6u1 update failed to build on the i386
architecture because the regression tests were not correctly adapted
for changes in lts5. This has now been corrected, updated binaries for
i386 and amd64 (which were
pub...@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.b...@credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for E
sql-pub...@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.b...@credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for E
Re: Santiago Ruano Rincón 2015-10-08 <20151008161110.GA2567@nomada>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of postgresql-8.4:
> https://security-tracker.debian.org/tracker/CVE-2015-5288
>
Package: postgresql-8.4
Version: 8.4.22lts6-0+deb6u1
Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains fixes that were applied upstream to the
pub...@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.b...@credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3 - sh
Package: postgresql-9.1
Version: 9.1.23-0+deb7u1
Several vulnerabilities have been found in PostgreSQL, an SQL
database system.
CVE-2016-5423
Karthikeyan Jambu Rajaraman discovered that nested CASE-WHEN
expressions are not properly evaluated, potentially leading to a
Package: postgresql-9.1
Version: 9.1.24-0+deb7u1
Several bugs were discovered in PostgreSQL, a relational database server
system. This update corrects various stability issues.
9.1.24 marks the end of life of the PostgreSQL 9.1 branch. No further
releases will be made by
pub...@lists.alioth.debian.org>
Changed-By: Christoph Berg <m...@debian.org>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtypes3 - shared librar
Re: Ola Lundqvist 2016-12-20 <20161220215504.ga24...@inguza.net>
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of postgresql-common:
> https://security-tracker.debian.org/tracker/CVE-2016-1255
>
> Would
Re: Raphael Hertzog 2017-06-20 <20170620162214.kxf3y2ksrxkai...@home.ouaza.com>
> That said the wheezy users would most certainly benefit from a fixed
> package and it looks like the issues have all been fixed in 1.5.0 and
> 1.5.1 so it should be possible to apply upstream fixes.
Last time I
Re: Ola Lundqvist 2017-05-21
Am 28. Mai 2017 16:11:47 MESZ schrieb Thorsten Alteholz <deb...@alteholz.de>:
>Hi Christoph,
>
>ok, thanks for the clarification.
>
>On Wed, 24 May 2017, Christoph Berg wrote:
>> postgresql-9.1 in wheezy is affected from my understanding of when
>> pg_user_mappin
Re: Salvatore Bonaccorso 2017-11-10
<20171110201118.wgv257pqulnzsdbg@eldamar.local>
> Christoph Berg has uploaded a version for postgresql-common to address
> CVE-2017-8806 as well for wheezy.
>
> https://lists.debian.org/debian-lts-changes/2017/11/msg00012.html
>
&
: 134wheezy6
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
<pkg-postgresql-pub...@lists.alioth.debian.org>
Changed-By: Christoph Berg <m...@debian.org>
Description:
postgresql - object-relational SQL database (supported version)
postgresql-cl
pub...@lists.alioth.debian.org>
Changed-By: Christoph Berg <christoph.b...@credativ.de>
Description:
libecpg-compat3 - older version of run-time library for ECPG programs
libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
libecpg6 - run-time library for ECPG programs
libpgtyp
Package: postgresql-9.1
Version: 9.1.24lts2-0+deb7u2
CVE ID : CVE-2018-1053
A vulnerabilities has been found in the PostgreSQL database system:
CVE-2018-1053
Tom Lane discovered that pg_upgrade, a tool used to upgrade
PostgreSQL database clusters, creates
Re: Markus Koschany 2018-08-18 <6056c156-4936-2dd9-77ef-57fc50dca...@debian.org>
> Do you prefer that we take care of it or shall we mark 9.1 as EOL and
> recommend to upgrade to 9.4 instead?
As Moritz already noted 9.1 is the upgrade-only version, i.e. to help
users upgrade to Stretch.
Re: Brian May 2018-03-07 <87a7vk9yhn@prune.linuxpenguins.xyz>
> > jessie's postgresql-9.1 package is shipping a single binary package
> > only, postgresql-plperl-9.1. (Check the jessie release notes for the
> > rationale.) plperl is not affected by the changes as far as I can tell
> > by
Re: Brian May 2018-03-04 <87tvtva5r4@prune.linuxpenguins.xyz>
> Christoph Berg <m...@debian.org> writes:
>
> > + [jessie] - postgresql-9.1 (postgresql-9.1 in jessie is
> > PL/Perl only)
>
> Hello,
>
> What did you mean by "jessie is PL/
postgresql-contrib-9.4
postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4
postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.21-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Package: postgresql-9.4
Version: 9.4.20-0+deb8u1
The PostgreSQL project has release a new minor release of the 9.4
branch.
For Debian 8 "Jessie", this has been uploaded as version
9.4.20-0+deb8u1.
We recommend that you upgrade your postgresql-9.4 packages.
Further information
postgresql-contrib-9.4
postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4
postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.20-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
postgresql-contrib-9.4
postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4
postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.22-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Package: postgresql-9.4
Version: 9.4.22-0+deb8u1
The PostgreSQL project has release a new minor release of the 9.4
branch.
For Debian 8 "Jessie", this has been uploaded as version
9.4.22-0+deb8u1.
We recommend that you upgrade your postgresql-9.4 packages.
Note that the end of
Re: Holger Levsen 2019-05-16 <20190516183802.uryz4rr7enuwp...@layer-acht.org>
> > Or should we focus on a way to announce process
> > changes once every other year?
>
> a mail to d-d-a with subject 'bits from the lts team' with these and other
> changes would probably be a good idea.
A single
Re: Holger Levsen 2019-05-15 <20190515130831.qcgsaiig3bh3b...@layer-acht.org>
> Should we maybe put just this on a page called
> https://wiki.debian.org/LTS/Development/TLDR
> which then people can look at when they occasionally do a DLA?
>
> (and link to that TLDR page promininently from our
Package: postgresql-9.4
Version: 9.4.24-0+deb8u1
CVE ID : CVE-2019-10208
* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during
`SECURITY DEFINER` execution
Versions Affected: 9.4 - 11
Given a suitable `SECURITY DEFINER` function, an attacker can execute
Package: postgresql-9.4
Version: 9.4.24-0+deb8u1
CVE ID : CVE-2019-10208
* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during
`SECURITY DEFINER` execution
Versions Affected: 9.4 - 11
Given a suitable `SECURITY DEFINER` function, an attacker can execute
postgresql-contrib-9.4
postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4
postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.24-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
: 165+deb8u4
Distribution: jessie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Description:
postgresql - object-relational SQL database (supported version)
postgresql-client - front-end programs for PostgreSQL (supported version)
postgresql
postgresql-contrib-9.4
postgresql-plperl-9.4 postgresql-plpython-9.4 postgresql-plpython3-9.4
postgresql-pltcl-9.4
Architecture: source amd64 all
Version: 9.4.25-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Package: postgresql-common
Version: 165+deb8u4
CVE ID : CVE-2019-3466
Rich Mirch discovered that the pg_ctlcluster script didn't drop
privileges when creating socket/statistics temporary directories, which
could result in local privilege escalation.
For the oldoldstable
Package: postgresql-common
Version: 165+deb8u4
CVE ID : CVE-2019-3466
Rich Mirch discovered that the pg_ctlcluster script didn't drop
privileges when creating socket/statistics temporary directories, which
could result in local privilege escalation.
For the oldoldstable
Package: postgresql-9.4
Version: 9.4.26-0+deb8u1
CVE ID : CVE-2020-1720
Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands
in the PostgreSQL database did not perform authorisation checks.
For Debian 8 "Jessie", this problem has been fixed in version
Re: Utkarsh Gupta
> Hello,
>
> On Tue, Aug 31, 2021 at 7:18 PM Adam D. Barratt
> wrote:
> > I noticed that postgresql-9.6 got uploaded to stretch-lts late last
> > week, but there doesn't appear to have been a DLA issued for it yet.
> >
> > Is that already in progress?
>
> If not, I'll be happy
-
Debian LTS Advisory DLA-2751-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Christoph Berg
August 31, 2021 https://wiki.debian.org/LTS
Re: Stefan Huehner
> Checking openssl / gnutls versions across releases:
> jessielibssl1.0.0 1.0.1t
> libgnutls-deb0-28 3.3.8
>
> stretch libssl1.0.2 1.0.2u
> libssl1.1 1.1.0l
>
-
Hash: SHA256
Format: 1.8
Date: Tue, 17 Aug 2021 14:04:37 +0200
Source: postgresql-13
Architecture: source
Version: 13.5-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers
Changed-By: Christoph Berg
Changes:
postgresql-13 (13.5-0+deb11u1) bullseye
Re: Utkarsh Gupta
> Hi Christoph,
>
> On Fri, Nov 12, 2021 at 1:47 PM Christoph Berg wrote:
> > could someone do the paperwork for
> > postgresql-9.6_9.6.24-0+deb9u1_source.changes ?
>
> Done both, the announcement and the website update. Thank you! \o/
Thanks!
Christoph
Hi,
I just uploaded 3 PostgreSQL security updates:
postgresql-15_15.5-0+deb12u1_source.changes
postgresql-13_13.13-0+deb11u1_source.changes
postgresql-11_11.22-0+deb10u1_source.changes
Unstable has been fixed in 16.1-1. (I don't intend to fix PG15 in
unstable, the package will be removed soon.)
Re: Sylvain Beucler
> Hello Christoph,
>
> According to the LTS files, you plan to take care of postgresql-9.6 security
> updates for stretch.
Hi Sylvain,
I had told the security team that I do *not* intend to updated 9.6 in
stretch. I guess that got noted incorrectly.
If anyone wants to pick
for reporting this problem.
-- Christoph Berg Thu, 11 Aug 2022 14:03:50 +0200
Thanks,
Christoph
the end of memory. Fix by properly zero-terminating the server
message. (CVE-2022-41862)
-- Christoph Berg Tue, 07 Feb 2023 17:14:48 +0100
Thanks,
Christoph
Re: Roberto C. Sánchez
> Thanks for doing the upload. I'll take care of the paperwork just now.
Thanks!
Christoph
Re: Utkarsh Gupta
> > I uploaded PostgreSQL 11 to buster. The same DSA for PG 13 went out a
> > few minutes ago. The PG 15 upload will happen now.
>
> Great, thank you. I'll prep the paperwork in sometime.
Thanks!
Christoph
> Distribution: buster-security
> Urgency: medium
> Maintainer: Debian PostgreSQL Maintainers
> Changed-By: Christoph Berg
> Changes:
> postgresql-11 (11.20-0+deb10u1) buster-security; urgency=medium
> .
>* New upstream version.
> .
> + Prevent CREATE
50 matches
Mail list logo