[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#930799: unblock: postgresql-11/11.4-1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package postgresql-11. The new version fixes
CVE-2019-10164.

debian/* diff:

diff --git a/debian/changelog b/debian/changelog
index d9bedcb..2f7e899 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+postgresql-11 (11.4-1) unstable; urgency=medium
+
+  * New upstream version.
+    + Fix buffer-overflow hazards in SCRAM verifier parsing
+      (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
+
+      Any authenticated user could cause a stack-based buffer overflow by
+      changing their own password to a purpose-crafted value.  In addition to
+      the ability to crash the PostgreSQL server, this could suffice for
+      executing arbitrary code as the PostgreSQL operating system account.
+
+      A similar overflow hazard existed in libpq, which could allow a rogue
+      server to crash a client or perhaps execute arbitrary code as the
+      client's operating system account.
+
+      The PostgreSQL Project thanks Alexander Lakhin for reporting this
+      problem.  (CVE-2019-10164)
+
+ -- Christoph Berg <myon@debian.org>  Tue, 18 Jun 2019 11:03:14 +0200
+
 postgresql-11 (11.3-1) unstable; urgency=medium

   * New upstream version.

unblock postgresql-11/11.4-1

Christoph
Reply to: