Accepted postgresql-11 11.12-0+deb10u1 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 12 May 2021 16:42:10 +0200
Source: postgresql-11
Architecture: source
Version: 11.12-0+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-11 (11.12-0+deb10u1) buster-security; urgency=medium
.
* New upstream version.
.
+ Prevent integer overflows in array subscripting calculations (Tom Lane)
.
The array code previously did not complain about cases where an array's
lower bound plus length overflows an integer. This resulted in later
entries in the array becoming inaccessible (since their subscripts could
not be written as integers), but more importantly it confused subsequent
assignment operations. This could lead to memory overwrites, with
ensuing crashes or unwanted data modifications. (CVE-2021-32027)
.
+ Fix mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
.
If the UPDATE list contains any multi-column sub-selects (which give
rise to junk columns in addition to the results proper), the UPDATE path
would end up storing tuples that include the values of the extra junk
columns. That's fairly harmless in the short run, but if new columns are
added to the table then the values would become accessible, possibly
leading to malfunctions if they don't match the datatypes of the added
columns.
.
In addition, in versions supporting cross-partition updates, a
cross-partition update triggered by such a case had the reverse problem:
the junk columns were removed from the target list, typically causing an
immediate crash due to malfunction of the multi-column sub-select
mechanism. (CVE-2021-32028)
.
+ Fix possibly-incorrect computation of UPDATE ... RETURNING outputs for
joined cross-partition updates (Amit Langote, Etsuro Fujita)
.
If an UPDATE for a partitioned table caused a row to be moved to another
partition with a physically different row type (for example, one with a
different set of dropped columns), computation of RETURNING results for
that row could produce errors or wrong answers. No error is observed
unless the UPDATE involves other tables being joined to the target
table. (CVE-2021-32029)
Checksums-Sha1:
7bd49b50d5efac6148d280bdcc54fb715733b581 3745 postgresql-11_11.12-0+deb10u1.dsc
4058af97fde72064c5fd18a508eda6a5526359df 20075485 postgresql-11_11.12.orig.tar.bz2
f0fba10a41fcac64889eef7486a89b78c1c7e53f 27380 postgresql-11_11.12-0+deb10u1.debian.tar.xz
Checksums-Sha256:
7c33b4631e3724ba947ae15bd63c995c12fc401fdd05645a33c4cd46bccb2c41 3745 postgresql-11_11.12-0+deb10u1.dsc
87f9d8b16b2b8ef71586f2ec76beac844819f64734b07fa33986755c2f53cb04 20075485 postgresql-11_11.12.orig.tar.bz2
14b775753a19adae79bf383b7feb06f0cb1e844ebbea295287f33e4d881b478d 27380 postgresql-11_11.12-0+deb10u1.debian.tar.xz
Files:
6d2cb5e70582ec2e92fd01be9f58849e 3745 database optional postgresql-11_11.12-0+deb10u1.dsc
3746c96a0e8f546f5503ef7b50abd2ff 20075485 database optional postgresql-11_11.12.orig.tar.bz2
6b901d80a7f58d721d28a2ce07a77b02 27380 database optional postgresql-11_11.12-0+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmCb/PAACgkQTFprqxLS
p65cWw/+M13I6BOUfL1BI66Lj/4lH/IXLY/JacM/2zNFQ+c2mdyz5K7KGjGCxQqC
01vKO7Q6JH2Cw+uhJVhm9v7oIbouDxG6Cddo/5ZyRrlTZItI3z8HWJl4olBwOGxl
+cQDLBwWjSH5jgRwWQPPWx5SqWA3CRKFnu57TbopdoHNfy3jQl7/lVAInSNXCYYV
7LELPWS0i+S/8+xpuruqVEjNDRh7RylhNCfwUTbRvcdvILiCijAsIQcYKe+tb7w+
Pn4F5OkRDHzb1O1x0afgP+s6qnIKtONKWpDuG9XV0KI03pxIIVz5vgq7nELKr9QR
dEdY83iGkOKSDZa97cQnyyEw0VjuDIZqXddPIudsNS543lKafF+BfapMIHlISLNS
hDNw9FF6kNg/s316xlBWtNpmE9MES0J8TAFndjYy4xMSD/8uLIkS+uE/MhecuRrO
pni3R1PCquZn5VBNdIPv1IVJpVOl1dHytukc7L3Y67ZcUBaP0ilooZ8nGV8+ChAk
1PTt/tf+oAtobOENActRltzNrjzTWtntK4bxSmtRulKDcrLWTglhIwTKVQhcFJSB
kMABblOxHuE1AHQKPYremYzaDcgyaxqTrL8bDs+LmkbISMyYbU8z1FwQ5kD3sbG1
TKe7YvVXiqVwHBvIkp2pxtBlkcwGNw8Tdx5VMXMS/b+Tg4VL2Mc=
=NzpI
-----END PGP SIGNATURE-----
Reply to: