postgresql-9.5 updated to version 9.5.24-1.pgdg+1 - apt.postgresql.org Repository Update

public inbox for [email protected]  
help / color / mirror / Atom feed

From: apt.postgresql.org Repository Update <[email protected]>
To: PostgreSQL on Debian and Ubuntu <[email protected]>
Subject: postgresql-9.5 updated to version 9.5.24-1.pgdg+1
Date: Thu, 12 Nov 2020 12:19:37 +0000
Message-ID: <[email protected]> (raw)

The package postgresql-9.5 was updated on apt.postgresql.org.

apt-listchanges: Changelogs
---------------------------

postgresql-9.5 (9.5.24-1.pgdg+1) sid-pgdg; urgency=medium

  * Rebuild for sid-pgdg.
  * Changes applied by generate-pgdg-source:
    + Moving lib packages to component 9.5.
    + Enabling cassert.

 -- PostgreSQL on Debian and Ubuntu <[email protected]>  Wed, 23 Sep 2020 20:43:41 +0200

postgresql-9.5 (9.5.24-1) unstable; urgency=medium

  * New upstream version.
    + Fixes timetz regression test failures. (Closes: #974063)

    + Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers
      within index expressions and materialized view queries (Noah Misch)

      This is essentially a leak in the security restricted operation sandbox
      mechanism.  An attacker having permission to create non-temporary SQL
      objects could parlay this leak to execute arbitrary SQL code as a
      superuser.

      The PostgreSQL Project thanks Etienne Stalmans for reporting this
      problem. (CVE-2020-25695)

    + Fix usage of complex connection-string parameters in pg_dump,
      pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)

      The -d parameter of pg_dump and pg_restore, or the --maintenance-db
      parameter of the other programs mentioned, can be a connection string
      containing multiple connection parameters rather than just a database
      name.  In cases where these programs need to initiate additional
      connections, such as parallel processing or processing of multiple
      databases, the connection string was forgotten and just the basic
      connection parameters (database name, host, port, and username) were
      used for the additional connections.  This could lead to connection
      failures if the connection string included any other essential
      information, such as non-default SSL or GSS parameters. Worse, the
      connection might succeed but not be encrypted as intended, or be
      vulnerable to man-in-the-middle attacks that the intended connection
      parameters would have prevented. (CVE-2020-25694)

    + When psql's

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: postgresql-9.5 updated to version 9.5.24-1.pgdg+1
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox