1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted postgresql-15 15.11-0+deb12u1 (source) into proposed-updates

    From Debian FTP Masters@21:1/5 to All on Sun Feb 16 13:50:02 2025
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Tue, 11 Feb 2025 11:27:41 +0100
    Source: postgresql-15
    Architecture: source
    Version: 15.11-0+deb12u1
    Distribution: bookworm
    Urgency: medium
    Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org>
    Changes:
    postgresql-15 (15.11-0+deb12u1) bookworm; urgency=medium
    .
    * New upstream version 15.11.
    .
    + Harden PQescapeString and allied functions against invalidly-encoded
    input strings (Andres Freund, Noah Misch)
    .
    Data-quoting functions supplied by libpq now fully check the encoding
    validity of their input. If invalid characters are detected, they
    report an error if possible. For the ones that lack an error return
    convention, the output string is adjusted to ensure that the server will
    report invalid encoding and no intervening processing will be fooled by
    bytes that might happen to match single quote, backslash, etc.
    .
    The purpose of this change is to guard against SQL-injection attacks
    that are possible if one of these functions is used to quote crafted
    input. There is no hazard when the resulting string is sent directly to
    a PostgreSQL server (which would check its encoding anyway), but there
    is a risk when it is passed through psql or other client-side code.
    Historically such code has not carefully vetted encoding, and in many
    cases it's not clear what it should do if it did detect such a problem.
    .
    This fix is effective only if the data-quoting function, the server, and
    any intermediate processing agree on the character encoding that's being
    used. Applications that insert untrusted input into SQL commands should
    take special care to ensure that that's true.
    .
    Applications and drivers that quote untrusted input without using these
    libpq functions may be at risk of similar problems. They should first
    confirm the data is valid in the encoding expected by the server.
    .
    The PostgreSQL Project thanks Stephen Fewer for reporting this problem.
    (CVE-2025-1094)
    Checksums-Sha1:
    73cca6df95be330ed579fe33692afddeca15a09b 3926 postgresql-15_15.11-0+deb12u1.dsc
    fda31a3976acbb2812afac699cd0401c23a3b761 23167652 postgresql-15_15.11.orig.tar.bz2
    81b35f4eb7dfdf30196dbcca6ba0cb3051a29095 27832 postgresql-15_15.11-0+deb12u1.debian.tar.xz
    Checksums-Sha256:
    66b842d985ada30b4a7d0900be715b1c71e0c61d7d76a1cf06002a6af4600b47 3926 postgresql-15_15.11-0+deb12u1.dsc
    5367e97e81e493301cc4aab049dfbc9b4913822985bc62379faab2a281cfbdf0 23167652 postgresql-15_15.11.orig.tar.bz2
    ee33bf42218955e55f14095eab0f687fa0c543b82fb526744e480b4d49786563 27832 postgresql-15_15.11-0+deb12u1.debian.tar.xz
    Files:
    47d4314674228e2e29b9a2cbeb4d98d1 3926 database optional postgresql-15_15.11-0+deb12u1.dsc
    d48f1a60c3e6f5b276deda9ba3bea979 23167652 database optional postgresql-15_15.11.orig.tar.bz2
    21f56569ce4825774a1ee7e9f5123779 27832 database optional postgresql-15_15.11-0+deb12u1.debian.tar.xz

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmeuKfkACgkQTFprqxLS p65ouw/9GlZPXGy2XrDOB5NW1sKViYQ6gwTBzJcKSWbfnPzuloeRm7LxY8YlCA8E a6wEPmwN8TL7qDOa+K2DYeXqAnLGJdVYanWU2qKdZNCSW1+oWGF/9J9YpLt863ZC 5JsF+RFt4l7NEkaVoJxH43Sz+Q9xvfdty5v9aqZvjBgqqDLOHee/UMG3Vvx9RFoh 7Y5q+fp1K+FkJbfnOASRxqEhiowQf+ZHXcNsGASwemUdXdAMxE+fuuqp+8C/ufJ2 nllsQ6UrYmRMT6OLBLF0n7KwD4GCwKQwD2/4ivy/cxCEvseKWP1ViBW8xTa6etkN gYhySho4akz+H2dqG/WHu/8K2Vapj5JEDR4HmCqPEeGc2o53BuCxJYPkBqO5ou6g cMPahdg+wT6tysLjMzSzacxXzYARCQCzBZd+ZtpQlQl1v1tarDb1zw+c84PCa8WX 3sA3cx3mteS4guYbUVOmQVcueFsc4ofUE/m912qBR+VIwKAzd5MIu6tGx3UiLdbk WFWzxmLQxxt8rTIUV2mweC//qP7LbAARQ46fs3LkQmx/pt/sqD4+ed47iQJOlhJU g8NnZijKqwHRqvjo53SQ8Yc1XttQAo+av9VDAT1OHJxHw48YRG23zKyDCpJ1x9sQ etpNmm3ddwmEyt3XRJrdWQ1jvKv3FnU1IuNU11Z8vb7iI8810E0=
    =gzYW
    -----END PGP SIGNATURE-----


    --==============ê14645988494626469=Content-Type: application/pgp-signature

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZ7HeTAAKCRCb9qggYcy5 IR/fAPwNEwDi4J40Zr6pMySmEizoll6BaVyfoeGC86JC4t396wEA09BC8ivfdYAQ TJSEZnu9ODuo6GzfZsBkSo9/GaObQg8=7qLn
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)