[Bug 1928773] Re: New upstream microreleases 10.17 12.7 13.3

Launchpad Bug Tracker Tue, 01 Jun 2021 04:41:11 -0700

This bug was fixed in the package postgresql-10 - 10.17-0ubuntu0.18.04.1

---------------
postgresql-10 (10.17-0ubuntu0.18.04.1) bionic-security; urgency=medium


  * New upstream version (LP: #1928773).

    + Prevent integer overflows in array subscripting calculations (Tom
Lane)

      The array code previously did not complain about cases where an array's
      lower bound plus length overflows an integer.  This resulted in later
      entries in the array becoming inaccessible (since their subscripts could
      not be written as integers), but more importantly it confused subsequent
      assignment operations.  This could lead to memory overwrites, with
      ensuing crashes or unwanted data modifications. (CVE-2021-32027)

    + Fix mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE
      target lists (Tom Lane)

      If the UPDATE list contains any multi-column sub-selects (which give
      rise to junk columns in addition to the results proper), the UPDATE path
      would end up storing tuples that include the values of the extra junk
      columns. That's fairly harmless in the short run, but if new columns are
      added to the table then the values would become accessible, possibly
      leading to malfunctions if they don't match the datatypes of the added
      columns.

      In addition, in versions supporting cross-partition updates, a
      cross-partition update triggered by such a case had the reverse problem:
      the junk columns were removed from the target list, typically causing an
      immediate crash due to malfunction of the multi-column sub-select
      mechanism. (CVE-2021-32028)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/release-10-17.html

 -- Christian Ehrhardt <[email protected]>  Tue, 18 May
2021 12:17:37 +0200

** Changed in: postgresql-10 (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32027

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32028

** Changed in: postgresql-12 (Ubuntu Focal)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32029

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928773

Title:
  New upstream microreleases 10.17 12.7 13.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-12/+bug/1928773/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928773] Re: New upstream microreleases 10.17 12.7 13.3

Reply via email to