PostgreSQL 11.19-0+deb10u1

To: Debian LTS <debian-lts@lists.debian.org>
Subject: PostgreSQL 11.19-0+deb10u1
From: Christoph Berg <myon@debian.org>
Date: Fri, 10 Feb 2023 11:41:56 +0100
Message-id: <[🔎] Y+YfdIpZMfzAolHm@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, Debian LTS <debian-lts@lists.debian.org>

Hi,

I just uploaded postgresql-11_11.19-0+deb10u1 to buster-security. If
someone could pick that up for the paperwork part, that would be nice.

postgresql-11 (11.19-0+deb10u1) buster-security; urgency=medium

  * New upstream version.

    + libpq can leak memory contents after GSSAPI transport encryption
      initiation fails (Jacob Champion)

      A modified server, or an unauthenticated man-in-the-middle, can send a
      not-zero-terminated error message during setup of GSSAPI (Kerberos)
      transport encryption.  libpq will then copy that string, as well as
      following bytes in application memory up to the next zero byte, to its
      error report. Depending on what the calling application does with the
      error report, this could result in disclosure of application memory
      contents.  There is also a small probability of a crash due to reading
      beyond the end of memory.  Fix by properly zero-terminating the server
      message. (CVE-2022-41862)

 -- Christoph Berg <myon@debian.org>  Tue, 07 Feb 2023 17:14:48 +0100

Thanks,
Christoph

Reply to:

Follow-Ups:
- Re: PostgreSQL 11.19-0+deb10u1
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Upload MariaDB 1:10.3.37-0+deb10u1 ?
Next by Date: Re: PostgreSQL 11.19-0+deb10u1
Previous by thread: Re: Upload MariaDB 1:10.3.37-0+deb10u1 ?
Next by thread: Re: PostgreSQL 11.19-0+deb10u1
Index(es):
- Date
- Thread