Bug#928719: marked as done (unblock: postgresql-11/11.3-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 10 May 2019 22:11:46 +0200
with message-id <d6cd46d9-73a5-715f-450a-08b1a38b9956@debian.org>
and subject line Re: unblock: postgresql-11/11.3-1
has caused the Debian Bug report #928719,
regarding unblock: postgresql-11/11.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928719
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: postgresql-11/11.3-1
• From: Christoph Berg <myon@debian.org>
• Date: Thu, 9 May 2019 17:19:20 +0200
• Message-id: <[🔎] 20190509151920.GA9675@msg.df7cb.de>
• Mail-followup-to: Christoph Berg <myon@debian.org>, Debian Bug Tracking System <submit@bugs.debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package postgresql-11. The new version fixes two
security bugs, and various other issues. (This is a new upstream minor
release, which would have pushed by the security team if buster was
already released.)

unblock postgresql-11/11.3-1

Christoph


postgresql-11 (11.3-1) unstable; urgency=medium

  * New upstream version.
    + Prevent row-level security policies from being bypassed via selectivity
      estimators (Dean Rasheed)

      Some of the planner's selectivity estimators apply user-defined
      operators to values found in pg_statistic (e.g., most-common values).
      A leaky operator therefore can disclose some of the entries in a data
      column, even if the calling user lacks permission to read that column.
      In CVE-2017-7484 we added restrictions to forestall that, but we failed
      to consider the effects of row-level security.  A user who has SQL
      permission to read a column, but who is forbidden to see certain rows
      due to RLS policy, might still learn something about those rows'
      contents via a leaky operator.  This patch further tightens the rules,
      allowing leaky operators to be applied to statistics data only when
      there is no relevant RLS policy.  (CVE-2019-10130)

    + Avoid access to already-freed memory during partition routing error
      reports (Michael Paquier)

      This mistake could lead to a crash, and in principle it might be
      possible to use it to disclose server memory contents. (CVE-2019-10129)

 -- Christoph Berg <myon@debian.org>  Tue, 07 May 2019 12:04:34 +0200

--- End Message ---

--- Begin Message ---

• To: 928719-done@bugs.debian.org, Christoph Berg <myon@debian.org>
• Subject: Re: unblock: postgresql-11/11.3-1
• From: Paul Gevers <elbrus@debian.org>
• Date: Fri, 10 May 2019 22:11:46 +0200
• Message-id: <d6cd46d9-73a5-715f-450a-08b1a38b9956@debian.org>
• In-reply-to: <[🔎] 20190509151920.GA9675@msg.df7cb.de>
• References: <[🔎] 20190509151920.GA9675@msg.df7cb.de> <[🔎] 20190509151920.GA9675@msg.df7cb.de>

Hi Christoph,

On Thu, 9 May 2019 17:19:20 +0200 Christoph Berg <myon@debian.org> wrote:
> unblock postgresql-11/11.3-1

Unblocked, thanks.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---