Your message dated Fri, 10 May 2019 22:11:46 +0200 with message-id <d6cd46d9-73a5-715f-450a-08b1a38b9956@debian.org> and subject line Re: unblock: postgresql-11/11.3-1 has caused the Debian Bug report #928719, regarding unblock: postgresql-11/11.3-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 928719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928719 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: postgresql-11/11.3-1
- From: Christoph Berg <myon@debian.org>
- Date: Thu, 9 May 2019 17:19:20 +0200
- Message-id: <[🔎] 20190509151920.GA9675@msg.df7cb.de>
- Mail-followup-to: Christoph Berg <myon@debian.org>, Debian Bug Tracking System <submit@bugs.debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package postgresql-11. The new version fixes two security bugs, and various other issues. (This is a new upstream minor release, which would have pushed by the security team if buster was already released.) unblock postgresql-11/11.3-1 Christoph postgresql-11 (11.3-1) unstable; urgency=medium * New upstream version. + Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed) Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130) + Avoid access to already-freed memory during partition routing error reports (Michael Paquier) This mistake could lead to a crash, and in principle it might be possible to use it to disclose server memory contents. (CVE-2019-10129) -- Christoph Berg <myon@debian.org> Tue, 07 May 2019 12:04:34 +0200
--- End Message ---
--- Begin Message ---
- To: 928719-done@bugs.debian.org, Christoph Berg <myon@debian.org>
- Subject: Re: unblock: postgresql-11/11.3-1
- From: Paul Gevers <elbrus@debian.org>
- Date: Fri, 10 May 2019 22:11:46 +0200
- Message-id: <d6cd46d9-73a5-715f-450a-08b1a38b9956@debian.org>
- In-reply-to: <[🔎] 20190509151920.GA9675@msg.df7cb.de>
- References: <[🔎] 20190509151920.GA9675@msg.df7cb.de> <[🔎] 20190509151920.GA9675@msg.df7cb.de>
Hi Christoph, On Thu, 9 May 2019 17:19:20 +0200 Christoph Berg <myon@debian.org> wrote: > unblock postgresql-11/11.3-1 Unblocked, thanks. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---