Accepted postgresql-15 15.5-0+deb12u1 (source) into proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted postgresql-15 15.5-0+deb12u1 (source) into proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 30 Nov 2023 06:47:08 +0000
Message-id: <[🔎] E1r8apI-005e5c-Cm@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 14:36:06 +0100
Source: postgresql-15
Architecture: source
Version: 15.5-0+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-15 (15.5-0+deb12u1) bookworm-security; urgency=medium
 .
   * New upstream version.
 .
     * Fix handling of unknown-type arguments in DISTINCT "any" aggregate
       functions (Tom Lane)
 .
       This error led to a text-type value being interpreted as an unknown-type
       value (that is, a zero-terminated string) at runtime.  This could result
       in disclosure of server memory following the text value.
 .
       The PostgreSQL Project thanks Jingzhou Fu for reporting this problem.
       (CVE-2023-5868)
 .
     * Detect integer overflow while computing new array dimensions
       (Tom Lane)
 .
       When assigning new elements to array subscripts that are outside the
       current array bounds, an undetected integer overflow could occur in edge
       cases.  Memory stomps that are potentially exploitable for arbitrary
       code execution are possible, and so is disclosure of server memory.
 .
       The PostgreSQL Project thanks Pedro Gallegos for reporting this problem.
       (CVE-2023-5869)
 .
     * Prevent the pg_signal_backend role from signalling background workers
       and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
 .
       The documentation says that pg_signal_backend
       cannot issue signals to superuser-owned processes.  It was able to
       signal these background processes, though, because they advertise a
       role OID of zero.  Treat that as indicating superuser ownership.
       The security implications of cancelling one of these process types
       are fairly small so far as the core code goes (we'll just start
       another one), but extensions might add background workers that are
       more vulnerable.
 .
       Also ensure that the is_superuser parameter is set correctly in such
       processes.  No specific security consequences are known for that
       oversight, but it might be significant for some extensions.
 .
       The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar
       Srinivasarao for reporting this problem. (CVE-2023-5870)
 .
     * Fix misbehavior during recursive page split in GiST index build
       (Heikki Linnakangas)
 .
       Fix a case where the location of a page downlink was incorrectly
       tracked, and introduce some logic to allow recovering from such
       situations rather than silently doing the wrong thing.  This error could
       result in incorrect answers from subsequent index searches. It may be
       advisable to reindex all GiST indexes after installing this update.
 .
     * Prevent de-duplication of btree index entries for interval columns
 .
       There are interval values that are distinguishable but compare equal,
       for example 24:00:00 and 1 day.  This breaks assumptions made by btree
       de-duplication, so interval columns need to be excluded from
       de-duplication.  This oversight can cause incorrect results from
       index-only scans.  Moreover, after updating amcheck will report an error
       for almost all such indexes.  Users should reindex any btree indexes on
       interval columns.
 .
   * Rebase debian/patches/libpgport-pkglibdir.
Checksums-Sha1:
 ef17427ffeddaab1542ec9c193748bf16cf4fe9a 3919 postgresql-15_15.5-0+deb12u1.dsc
 1688b684c181a3173a3f2b76a12e83c8371facc8 23091780 postgresql-15_15.5.orig.tar.bz2
 e17713becc5f0e0e4d946507a75174985631c203 25052 postgresql-15_15.5-0+deb12u1.debian.tar.xz
Checksums-Sha256:
 0375551ce7ba7e8f5242e59cb20b944adcc6826f78422f2a436be6e99725e666 3919 postgresql-15_15.5-0+deb12u1.dsc
 8f53aa95d78eb8e82536ea46b68187793b42bba3b4f65aa342f540b23c9b10a6 23091780 postgresql-15_15.5.orig.tar.bz2
 0cfb11525046064ad795faab3b68e4b450f2fda314ae3fa6555a7178b4674dfb 25052 postgresql-15_15.5-0+deb12u1.debian.tar.xz
Files:
 5491dd9c4196d9ca0d0b15a37b5417d0 3919 database optional postgresql-15_15.5-0+deb12u1.dsc
 9a7d6515408ecb5823546d0a3d7b318c 23091780 database optional postgresql-15_15.5.orig.tar.bz2
 ba01d1504baeea53362003a1b443d704 25052 database optional postgresql-15_15.5-0+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmVOWEIACgkQTFprqxLS
p67iRRAAnc8R52bOrpFQZarxNI3M6yJmrL+3IT5Sm+2MCaZKpu0lLJNUvL7KPAvC
fl5ad55SFejPG5yZ63BSGSPhfZ0069uSIHXveWlOZJxEofh4GiWQZabNBeUEF4sh
9Wop444gyhhXCqlyS4yBjBt/7Suwode4w1ybSiL0sF1N3VCQwTOM+zmk9vDvZGxN
24ui6iOjV4iHRzyu781U4OgC7V2xZgfsstv5yYzDlH0LjEhpmxrejX98rPzP6tS6
wOxxNtI5tYS4Q+jCbNVj7T+hl0p1Jlw2jmikK5Wh7fHhsgexOaF4TyyPSXwpvqzI
UNYn6cn0J7Qd25IWViA1EdvMnkumdcQlPhlC5JwHZUoyuUm9ZPjl0m/UHDTHoIps
YEQyqst2XgqQLN8VAoTokAPnFjQhlH7z7St65m+1Ek2FKXXU/ddGzS0k/CIfhH8k
7F4VtIdVHKEefnjXC01yDBOdlx/v3I2jHAKtUBaRiPwkg+mmE+nZN2SuC5FAo3Ex
mxnk04QOgYQ2jAkwxKkztNuc5sSRCB3ObLcQHSiQNdRceptrjkzozh0sQrdaT8dh
GKQZsy8lS/s2rc7OL8zh0VOgOXGSX/uztkMTb9y6MT2BYXue02fXdj4a9xqVNmlv
dzcUXlvHX5JKWNtjJ6PBZfjdzRnycPB7lBknsAbvG93JXG60mRM=
=EfWn
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted systemd 252.19-1~deb12u1 (source) into proposed-updates
Previous by thread: Accepted systemd 252.19-1~deb12u1 (source) into proposed-updates
Index(es):
- Date
- Thread