[ubuntu/hirsute-proposed] postgresql-12 12.5-0ubuntu1 (Accepted)

Christian Ehrhardt christian.ehrhardt at canonical.com
Fri Nov 13 07:13:20 UTC 2020 

postgresql-12 (12.5-0ubuntu1) hirsute; urgency=medium

  * New upstream version.
    + Fixes timetz regression test failures. (Closes: #974063)
      (LP: #1903573)

    + Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers
      within index expressions and materialized view queries (Noah Misch)

      This is essentially a leak in the security restricted operation sandbox
      mechanism.  An attacker having permission to create non-temporary SQL
      objects could parlay this leak to execute arbitrary SQL code as a
      superuser.

      The PostgreSQL Project thanks Etienne Stalmans for reporting this
      problem. (CVE-2020-25695)

    + Fix usage of complex connection-string parameters in pg_dump,
      pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)

      The -d parameter of pg_dump and pg_restore, or the --maintenance-db
      parameter of the other programs mentioned, can be a connection string
      containing multiple connection parameters rather than just a database
      name.  In cases where these programs need to initiate additional
      connections, such as parallel processing or processing of multiple
      databases, the connection string was forgotten and just the basic
      connection parameters (database name, host, port, and username) were
      used for the additional connections.  This could lead to connection
      failures if the connection string included any other essential
      information, such as non-default SSL or GSS parameters. Worse, the
      connection might succeed but not be encrypted as intended, or be
      vulnerable to man-in-the-middle attacks that the intended connection
      parameters would have prevented. (CVE-2020-25694)

    + When psql's \connect command re-uses connection parameters, ensure that
      all non-overridden parameters from a previous connection string are
      re-used (Tom Lane)

      This avoids cases where reconnection might fail due to omission of
      relevant parameters, such as non-default SSL or GSS options. Worse, the
      reconnection might succeed but not be encrypted as intended, or be
      vulnerable to man-in-the-middle attacks that the intended connection
      parameters would have prevented. This is largely the same problem as
      just cited for pg_dump et al, although psql's behavior is more complex
      since the user may intentionally override some connection parameters.
      (CVE-2020-25694)

    + Prevent psql's \gset command from modifying specially-treated variables
      (Noah Misch)

      \gset without a prefix would overwrite whatever variables the server
      told it to.  Thus, a compromised server could set specially-treated
      variables such as PROMPT1, giving the ability to execute arbitrary shell
      code in the user's session.

      The PostgreSQL Project thanks Nick Cleaton for reporting this problem.
      (CVE-2020-25696)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/static/release-12-5.html

    + d/control: update-maintainer

Date: Thu, 12 Nov 2020 12:28:11 +0100
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/postgresql-12/12.5-0ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 Nov 2020 12:28:11 +0100
Source: postgresql-12
Architecture: source
Version: 12.5-0ubuntu1
Distribution: hirsute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Christian Ehrhardt <christian.ehrhardt at canonical.com>
Closes: 974063
Launchpad-Bugs-Fixed: 1903573
Changes:
 postgresql-12 (12.5-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream version.
     + Fixes timetz regression test failures. (Closes: #974063)
       (LP: #1903573)
 .
     + Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers
       within index expressions and materialized view queries (Noah Misch)
 .
       This is essentially a leak in the security restricted operation sandbox
       mechanism.  An attacker having permission to create non-temporary SQL
       objects could parlay this leak to execute arbitrary SQL code as a
       superuser.
 .
       The PostgreSQL Project thanks Etienne Stalmans for reporting this
       problem. (CVE-2020-25695)
 .
     + Fix usage of complex connection-string parameters in pg_dump,
       pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
 .
       The -d parameter of pg_dump and pg_restore, or the --maintenance-db
       parameter of the other programs mentioned, can be a connection string
       containing multiple connection parameters rather than just a database
       name.  In cases where these programs need to initiate additional
       connections, such as parallel processing or processing of multiple
       databases, the connection string was forgotten and just the basic
       connection parameters (database name, host, port, and username) were
       used for the additional connections.  This could lead to connection
       failures if the connection string included any other essential
       information, such as non-default SSL or GSS parameters. Worse, the
       connection might succeed but not be encrypted as intended, or be
       vulnerable to man-in-the-middle attacks that the intended connection
       parameters would have prevented. (CVE-2020-25694)
 .
     + When psql's \connect command re-uses connection parameters, ensure that
       all non-overridden parameters from a previous connection string are
       re-used (Tom Lane)
 .
       This avoids cases where reconnection might fail due to omission of
       relevant parameters, such as non-default SSL or GSS options. Worse, the
       reconnection might succeed but not be encrypted as intended, or be
       vulnerable to man-in-the-middle attacks that the intended connection
       parameters would have prevented. This is largely the same problem as
       just cited for pg_dump et al, although psql's behavior is more complex
       since the user may intentionally override some connection parameters.
       (CVE-2020-25694)
 .
     + Prevent psql's \gset command from modifying specially-treated variables
       (Noah Misch)
 .
       \gset without a prefix would overwrite whatever variables the server
       told it to.  Thus, a compromised server could set specially-treated
       variables such as PROMPT1, giving the ability to execute arbitrary shell
       code in the user's session.
 .
       The PostgreSQL Project thanks Nick Cleaton for reporting this problem.
       (CVE-2020-25696)
 .
     + Details about these and many further changes can be found at:
       https://www.postgresql.org/docs/10/static/release-12-5.html
 .
     + d/control: update-maintainer
Checksums-Sha1:
 659e82a53c3e4960982d32e98fffd34482a788ea 3734 postgresql-12_12.5-0ubuntu1.dsc
 031c42b26df6aa91351c02c336b9aa6111bf6c7e 20729654 postgresql-12_12.5.orig.tar.bz2
 b8d9a17d63acd6b1648332bc9b86596c1da65c12 26188 postgresql-12_12.5-0ubuntu1.debian.tar.xz
 8f03b47e7f0b84f618b9ba18e7ef84a6ecd7babb 8748 postgresql-12_12.5-0ubuntu1_source.buildinfo
Checksums-Sha256:
 f45b8c5fb75afb9ffbdd274b837529c2d570cf8f861dd988991cab91d728bcde 3734 postgresql-12_12.5-0ubuntu1.dsc
 bd0d25341d9578b5473c9506300022de26370879581f5fddd243a886ce79ff95 20729654 postgresql-12_12.5.orig.tar.bz2
 855f6e2e50120be7621be079a2d7b1e9e059383058f0a98ac551fe53b86f5445 26188 postgresql-12_12.5-0ubuntu1.debian.tar.xz
 e9c408eee354f429f9fd9752852e3f76c70dc39671f68d5447e45465554b7533 8748 postgresql-12_12.5-0ubuntu1_source.buildinfo
Files:
 4e536dd406fe6bf28a1e4d800fff7361 3734 database optional postgresql-12_12.5-0ubuntu1.dsc
 f19e48090bbd59ea81826b5fd99e7e97 20729654 database optional postgresql-12_12.5.orig.tar.bz2
 5534b117c8782ae1d8b9ba0c406ba73e 26188 database optional postgresql-12_12.5-0ubuntu1.debian.tar.xz
 590dd7c9e1342cb1a11b861deefca305 8748 database optional postgresql-12_12.5-0ubuntu1_source.buildinfo
Original-Maintainer: Debian PostgreSQL Maintainers <team+postgresql at tracker.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEktYY9mjyL47YC+71uj4pM4KAskIFAl+uMacACgkQuj4pM4KA
skIvuA//Xdy7jtejaBA5G+Kt+n4QhIfANOyXAm3RFOZ9MKECn8r91+f6is3VnY49
DktlULZelQlw/ISSDxGDnPd5CJb2M8mD2MaprURn6FEZHGuqkAEPudIqayKgnefF
tnYx+PJDrOKABLKeLtPAvEAouVPkGRpmM06LeUYM1vzMqvAc0R8AJIEjoF6g+kzD
8uB/BVQjd1hqsHLuI5NuhUSyv+uRmCznCI+NDtCxnF+cQKyvdXRtVcVtOtxlIiBI
emD3nazvB8Tj+3uYWV9RcNnNAIcnWjFoUDDQ+bxylJssf/vu81RQrM1r/xGgnrW0
z+/a+PfFGy/+xMHIoV17El67w8jRgwyKBn1w/AFZCPCWZQyjV5/XDZ5NxoSyv1SJ
kLPA+CyDo5WVkEAWnG8bJ3bYlrVED6nWbtl0Jp1pMJsIepJO60BFUGxnM+ORVAim
Nxv5jDrxM6UWuBuCRkbM6GLJBQ/TQdlIhECpAE//X+X6hGbrQExQVOVFbZcRc1DG
bVUDTrZfCsu+UTS8yia94lIJoHNnt2iRZDUaO1W7Kl8IwkzJg/z3LQgN2jAaJS84
nISZfd9E4yBK5cnXJdA16Meo8DbDtWeg2wNL6Ut/OKO+JEwfPtXtOsSlUjioH741
pezQ6pRRlV6uVaOp3USPLGraAeLGEn1W0MtdBKqNrcBxkOhnGKE=
=Xd3r
-----END PGP SIGNATURE-----

More information about the Hirsute-changes mailing list