Merge postgresql-14 from Debian unstable for kinetic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postgresql-14 (Ubuntu) |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
Upstream: 14.3
Debian: 14.3-1
Ubuntu: 14.2-1ubuntu2
Debian typically updates postgresql-14 every 1 months on average, but it was last updated 22.02 and looks overdue. Check back in on this monthly.
### New Debian Changes ###
postgresql-14 (14.2-1) unstable; urgency=medium
* New upstream release.
-- Christoph Berg <email address hidden> Wed, 09 Feb 2022 10:39:43 +0100
postgresql-14 (14.1-5) unstable; urgency=medium
* Provide postgresql-
depend on a matching llvm version.
-- Christoph Berg <email address hidden> Mon, 03 Jan 2022 16:08:18 +0100
postgresql-14 (14.1-4) unstable; urgency=medium
[ Christoph Berg ]
* Disable LLVM JIT on s390x for now. (See #1002029)
[ Christian Ehrhardt ]
* postgresql-
armel.
-- Christoph Berg <email address hidden> Mon, 20 Dec 2021 18:21:21 +0100
postgresql-14 (14.1-3) unstable; urgency=medium
* Use system default clang/llvm version. (Closes: #1000915)
* Use centralized debian/rules logic in postgresql-common.
-- Christoph Berg <email address hidden> Fri, 03 Dec 2021 09:56:49 +0100
postgresql-14 (14.1-2) unstable; urgency=medium
* Enable outline-atomics on arm64 (affects Ubuntu focal only).
-- Christoph Berg <email address hidden> Tue, 16 Nov 2021 11:56:37 +0100
postgresql-14 (14.1-1) unstable; urgency=medium
* New upstream release.
+ Make the server and libpq reject extraneous data after an SSL or GSS
encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP
connection could stuff some cleartext data into the start of a
supposedly encryption-
This could be abused to send faked SQL commands to the server, although
that would only work if the server did not demand any authentication
data. (However, a server relying on SSL certificate authentication
might well not do so.) (CVE-2021-23214)
This could probably be abused to inject faked responses to the client's
first few queries, although other details of libpq's behavior make that
harder than it sounds. A different line of attack is to exfiltrate the
client's password, or other sensitive data that might be sent early in
the session. That has been shown to be possible with a server
vulnerable to CVE-2021-23214. (CVE-2021-23222)
The PostgreSQL Project thanks Jacob Champion for reporting these
problems.
* libpq-dev: Depend on libssl-dev, `pkg-config --exists libpq` requires it.
-- Christoph Berg <email address hidden> Fri, 05 Nov 2021 12:05:46 +0100
postgresql-14 (14.0-1) unstable; urgency=medium
* First PG14 release.
* Depend on postgresql-common 229 for scram-sha-256 authentication by
default.
-- Christoph Berg <email address hidden> Tue, 28 Sep 2021 13:56:00 +0200
postgresql-14 (14~rc1-1) experimental; urgency=medium
* First PG14 release candidate.
* Enable spinlocks on riscv64.
* Fix awk to be mawk, spotted by Yangfl. (Closes: #987786)
* configure.ac: Remove check for autoconf 2.69.
* Spanish debconf translation by Jonathan Bustillos, thanks!
(Closes: #986775)
* Flatten debian/
-- Christoph Berg <email address hidden> Thu, 23 Sep 2021 12:39:42 +0200
postgresql-14 (14~beta3-1) experimental; urgency=medium
* New beta version.
* libpq5.symbols: Add PQsendFlushRequest.
-- Christoph Berg <email address hidden> Tue, 10 Aug 2021 13:11:12 +0200
postgresql-14 (14~beta2-1) experimental; urgency=medium
* New beta version.
* libpq5.symbols: Add PQmblenBounded, PQsetTraceFlags, remove PQtraceSetFlags.
* debian/
### Old Ubuntu Delta ###
postgresql-14 (14.2-1ubuntu1) jammy; urgency=medium
* d/p/llvm14-
-- Andreas Hasenack <email address hidden> Fri, 25 Mar 2022 11:34:41 -0300
CVE References
Changed in postgresql-14 (Ubuntu): | |
milestone: | none → ubuntu-22.06 |
status: | New → Incomplete |
Changed in postgresql-14 (Ubuntu): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in postgresql-14 (Ubuntu): | |
status: | Fix Committed → Fix Released |
The only change in the current delta is patches/ llvm14- support. patch, /github. com/postgres/ postgres/ commit/ d9f7ad54e552262 ee0090e88d5abd3 e04fcdeac8)
debian/
which is included in the new release (14.3) and is available in the new Debian package
(https:/
Therefore, this can be a sync.