New upstream microreleases 9.3.22, 9.5.12, 9.6.8 and 10.3

Note: opening private as it is not yet announced
Will open up then ...

Uploads prepared and building in ppas atm;
For tests pre-upload (while waiting for the official release and announcement)

Trusty: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3179
Xenial: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3180
Artful: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3181

Build (and build time tests) complete and all good.

Kicked the Dep8 tests against the PPA content (will take a while)

Hrm, I don't see why, but the bileto tests no more run.
/me shakes his fist against infrastructure

I want at least to run the core tests manually instead now ...

For postgresql-common, mimeo and the respective postgresql-<VER> I ran tests manually.

$ rel=artful; for d in *.dsc; do autopkgtest -o ${d}.log --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:ci-train-ppa-service/3181; apt update; apt -y upgrade" --no-built-binaries $d -- qemu --qemu-options='-cpu host' --cpus 10 --ram-size=4098 ~/${rel}/autopkgtest-${rel}-amd64.img; done
$ rel=xenial; for d in *.dsc; do autopkgtest -o ${d}.log --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:ci-train-ppa-service/3180; apt update; apt -y upgrade" --no-built-binaries $d -- qemu --qemu-options='-cpu host' --cpus 10 --ram-size=4098 ~/${rel}/autopkgtest-${rel}-amd64.img; done
$ rel=trusty; for d in *.dsc; do autopkgtest --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:ci-train-ppa-service/3179; apt update; apt -y upgrade" --no-built-binaries $d -- qemu --qemu-options='-cpu host' --cpus 10 --ram-size=4098 ~/${rel}/autopkgtest-${rel}-amd64.img; done

Those all worked from the ppa.

Also the releases are now public, so I can modify the changelog details and make them available as last time.
=> Setting the bug public as well

FYI: Shared the finalized (changelog and news link) uploads with the Security Team

This bug was fixed in the package postgresql-9.3 - 9.3.22-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.22-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump. After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets. To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under. That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.3/static/release-9-3-22.html

 -- Christian Ehrhardt <email address hidden> Wed, 28 Feb 2018 09:59:05 +0100

This bug was fixed in the package postgresql-9.6 - 9.6.8-0ubuntu0.17.10

---------------
postgresql-9.6 (9.6.8-0ubuntu0.17.10) artful-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump. After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets. To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under. That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.6/static/release-9-6-8.html

 -- Christian Ehrhardt <email address hidden> Wed, 28 Feb 2018 09:59:10 +0100

This bug was fixed in the package postgresql-9.5 - 9.5.12-0ubuntu0.16.04

---------------
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump. After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets. To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under. That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.5/static/release-9-5-12.html

 -- Christian Ehrhardt <email address hidden> Wed, 28 Feb 2018 09:59:08 +0100