[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1111075: marked as done (trixie-pu: package postgresql-17/17.6-0+deb13u1)

Your message dated Sat, 06 Sep 2025 12:14:57 +0100
with message-id <165032e5317517556dd7fd8cf24843112a3fb6ac.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 13.1
has caused the Debian Bug report #1111075,
regarding trixie-pu: package postgresql-17/17.6-0+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1111075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111075
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: postgresql-17@packages.debian.org
Control: affects -1 + src:postgresql-17
User: release.debian.org@packages.debian.org
Usertags: pu

New postgresql-17 package with a few low-profile CVEs that didn't
warrant a DSA.

[ Tests ]
Lots of upstream tests and extensive postgresql-common testsuite
coverage.

Christoph

diff --git a/debian/changelog b/debian/changelog
index 6be7c5f..033ccb0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,66 @@
+postgresql-17 (17.6-0+deb13u1) trixie; urgency=medium
+
+  * New upstream version 17.6.
+
+    + Tighten security checks in planner estimation functions (Dean Rasheed)
+
+      The fix for CVE-2017-7484, plus followup fixes, intended to prevent
+      leaky functions from being applied to statistics data for columns that
+      the calling user does not have permission to read.  Two gaps in that
+      protection have been found.  One gap applies to partitioning and
+      inheritance hierarchies where RLS policies on the tables should restrict
+      access to statistics data, but did not.
+
+      The other gap applies to cases where the query accesses a table via a
+      view, and the view owner has permissions to read the underlying table
+      but the calling user does not have permissions on the view. The view
+      owner's permissions satisfied the security checks, and the leaky
+      function would get applied to the underlying table's statistics before
+      we check the calling user's permissions on the view.  This has been
+      fixed by making security checks on views occur at the start of planning.
+      That might cause permissions failures to occur earlier than before.
+
+      The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
+      (CVE-2025-8713)
+
+    + Prevent pg_dump scripts from being used to attack the user running the
+      restore (Nathan Bossart)
+
+      Since dump/restore operations typically involve running SQL commands as
+      superuser, the target database installation must trust the source
+      server.  However, it does not follow that the operating system user who
+      executes psql to perform the restore should have to trust the source
+      server.  The risk here is that an attacker who has gained
+      superuser-level control over the source server might be able to cause it
+      to emit text that would be interpreted as psql meta-commands. That would
+      provide shell-level access to the restoring user's own account,
+      independently of access to the target database.
+
+      To provide a positive guarantee that this can't happen, extend psql with
+      a \restrict command that prevents execution of further meta-commands,
+      and teach pg_dump to issue that before any data coming from the source
+      server.
+
+      The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and
+      RyotaK for reporting this problem. (CVE-2025-8714)
+
+    + Convert newlines to spaces in names included in comments in pg_dump
+      output (Noah Misch)
+
+      Object names containing newlines offered the ability to inject arbitrary
+      SQL commands into the output script.  (Without the preceding fix,
+      injection of psql meta-commands would also be possible this way.)
+      CVE-2012-0868 fixed this class of problem at the time, but later work
+      reintroduced several cases.
+
+      The PostgreSQL Project thanks Noah Misch for reporting this problem.
+      (CVE-2025-8715)
+
+  * Add Turkish debconf translation by Atila KOÇ, thanks! (Closes: #1107984)
+  * Drop hurd-iovec patch, implemented upstream.
+
+ -- Christoph Berg <myon@debian.org>  Wed, 13 Aug 2025 13:03:55 +0200
+
 postgresql-17 (17.5-1) unstable; urgency=medium
 
   * New upstream version 17.5.
diff --git a/debian/patches/hurd-iovec b/debian/patches/hurd-iovec
deleted file mode 100644
index e5255f0..0000000
--- a/debian/patches/hurd-iovec
+++ /dev/null
@@ -1,26 +0,0 @@
-hurd-i386 does not define IOV_MAX
-
---- a/src/include/port/pg_iovec.h
-+++ b/src/include/port/pg_iovec.h
-@@ -20,9 +20,6 @@
- 
- #else
- 
--/* POSIX requires at least 16 as a maximum iovcnt. */
--#define IOV_MAX 16
--
- /* Define our own POSIX-compatible iovec struct. */
- struct iovec
- {
-@@ -32,6 +29,11 @@ struct iovec
- 
- #endif
- 
-+/* POSIX requires at least 16 as a maximum iovcnt. */
-+#ifndef IOV_MAX
-+#define IOV_MAX 16
-+#endif
-+
- /* Define a reasonable maximum that is safe to use on the stack. */
- #define PG_IOV_MAX Min(IOV_MAX, 32)
- 
diff --git a/debian/patches/series b/debian/patches/series
index e1346aa..988f8dc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,5 +10,4 @@ extension_destdir
 autoconf2.69
 focal-arm64-outline-atomics
 jit-s390x
-hurd-iovec
 pgstat-report-conflicts-immediately.patch
diff --git a/debian/po/tr.po b/debian/po/tr.po
new file mode 100644
index 0000000..e0bc253
--- /dev/null
+++ b/debian/po/tr.po
@@ -0,0 +1,41 @@
+# Turkish debconf translation of postgresql
+# Copyright (C) 2025 Debian Turkish L10n Team
+# This file is distributed under the same license as the postgresql package.
+#
+# Translators:
+# Atila KOÇ <atilakoc@yahoo.com>, 2025.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postgresql 17\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2025-04-29 17:06+0000\n"
+"PO-Revision-Date: 2025-05-18 11:57+0300\n"
+"Last-Translator: Atila KOÇ <atilakoc@yahoo.com>\n"
+"Language-Team: Turkish <debian-l10n-turkish@lists.debian.org>\n"
+"Language: tr\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+"X-Generator: Poedit 3.6\n"
+
+#. Type: boolean
+#. Description
+#: ../postgresql-17.templates:1001
+msgid "Remove PostgreSQL directories when package is purged?"
+msgstr ""
+"PostgreSQL paketi temizlenerek kaldırıldığında, dizinleri de silinsin mi?"
+
+#. Type: boolean
+#. Description
+#: ../postgresql-17.templates:1001
+msgid ""
+"Removing the PostgreSQL server package will leave existing database clusters "
+"intact, i.e. their configuration, data, and log directories will not be "
+"removed. On purging the package, the directories can optionally be removed."
+msgstr ""
+"PostgreSQL sunucu paketi kaldırıldığında varolan veritabanı kümelerini "
+"öylece bırakır; örneğin onların yapılandırma dosyaları, verileri ve kayıt "
+"dizinleri silinmez. Paket temizlenerek kaldırıldığında ise, bu dizinler "
+"isteğe bağlı olarak silinebilir."

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.1

Hi,

Each of the updates referenced by these requests was included in
today's 13.1 point release for trixie.

Regards,

Adam

--- End Message ---
Reply to: