1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted postgresql-13 13.5-0+deb11u1 (source) into proposed-updates->s

    From Debian FTP Masters@21:1/5 to All on Mon Nov 15 20:20:01 2021
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Format: 1.8
    Date: Tue, 17 Aug 2021 14:04:37 +0200
    Source: postgresql-13
    Architecture: source
    Version: 13.5-0+deb11u1
    Distribution: bullseye-security
    Urgency: medium
    Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org>
    Changes:
    postgresql-13 (13.5-0+deb11u1) bullseye-security; urgency=medium
    .
    * New upstream security release.
    .
    + Make the server and libpq reject extraneous data after an SSL or GSS
    encryption handshake (Tom Lane)
    .
    A man-in-the-middle with the ability to inject data into the TCP
    connection could stuff some cleartext data into the start of a
    supposedly encryption-protected database session.
    .
    This could be abused to send faked SQL commands to the server, although
    that would only work if the server did not demand any authentication
    data. (However, a server relying on SSL certificate authentication
    might well not do so.) (CVE-2021-23214)
    .
    This could probably be abused to inject faked responses to the client's
    first few queries, although other details of libpq's behavior make that
    harder than it sounds. A different line of attack is to exfiltrate the
    client's password, or other sensitive data that might be sent early in
    the session. That has been shown to be possible with a server
    vulnerable to CVE-2021-23214. (CVE-2021-23222)
    .
    The PostgreSQL Project thanks Jacob Champion for reporting these
    problems.
    .
    * Flatten debian/*.lintian-overrides symlinks to fix salsa CI. Checksums-Sha1:
    eb3f1cc8538c3febc19bfd29c3c085861ec9e151 3696 postgresql-13_13.5-0+deb11u1.dsc
    9321e2b01d1ffb15adae06945cb2c5f9dd671bc9 21186674 postgresql-13_13.5.orig.tar.bz2
    6e44ab8a18cef94a5e6aa0b97db74e44006e518d 28796 postgresql-13_13.5-0+deb11u1.debian.tar.xz
    Checksums-Sha256:
    70481ab99d82417bef296378c69720657347c03b188d276e9b82f6587936d3be 3696 postgresql-13_13.5-0+deb11u1.dsc
    9b81067a55edbaabc418aacef457dd8477642827499560b00615a6ea6c13f6b3 21186674 postgresql-13_13.5.orig.tar.bz2
    36f225fda1f0759d8892d42a99acf565e1693ad2572714aad91b807f03cb4c95 28796 postgresql-13_13.5-0+deb11u1.debian.tar.xz
    Files:
    4b2ddbb813ac78dfcad5d171ca0a680e 3696 database optional postgresql-13_13.5-0+deb11u1.dsc
    cf9814bdf22afcddb993b43a7be17da6 21186674 database optional postgresql-13_13.5.orig.tar.bz2
    59bf74dbfcba21ba6ded3288d7764592 28796 database optional postgresql-13_13.5-0+deb11u1.debian.tar.xz

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGNA4kACgkQTFprqxLS p64VcRAApsf/3R54p3hEp3O09WI6mCvYsrzxQjnqYegi4xmJKyyDi8NzY/5Fevjv zJX1q2b8p0TrRR1g52c37A3HieoidWXba9UGwNzBRk9H091LEUgw2QmLd0Qq2NXN lMJtxM++TlteP+FGqvjMwSsHgQYO4DwaK2+vqfCaL/CjSkx0SMy4Z9sW5oiacrvQ jp56CAgqU/P9tXQau64F6LtJBf+ffgZRI5xfs6n7IWi7bbr+Eqxr2KgeGl+rGsCZ BMx6rIvjBNKYbIs6jLnEElWIzQcR4CdSX4vPScn/vigX5upP2gXyPaYte9E5KrGr 6m5oLXso8c97QJjG3aACQvFrcHIHvO9LOljKAamwVtTpTOeJsupnWwEkTehC4TCW UdrvtEYKHj+mJYfthpviwy6il0zh9VFb2cKiypN+F4eL1OxH8OKxgwlF0oJu1qyc 6tZELL21fLqMN/OaizrA0JSeKGRcTUwbzJh1ctA0YVHIOBvJFMj3UTjDS5mp6r45 8U0/j++SZHv2lj+Q+fl48X2J7IXZykuAYjxSScdBD21MBbfgcZq1qZzBD/n8xu/l f8wHLv/TJuYRSN05zsfp6CMGgoMo/LG4PEh2MvKbmnfLwJfKG2SwWTwS137eGwpS HsLGuf563LUnAWSJp+mSvorSdOYlzE9cP3zRILWWcVnGlpXH8Gw=
    =OHXk
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)