postgresql-9.4 (9.4.26-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.
    + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION.

      Marking an object as dependent on an extension did not have any
      privilege check whatsoever.  This oversight allowed any user to mark
      routines, triggers, materialized views, or indexes as droppable by
      anyone able to drop an extension.  Require that the calling user own the
      specified object (and hence have privilege to drop it). (CVE-2020-1720)

  * This is the last release of the 9.4 series. Please upgrade to a newer
    PostgreSQL major version.

 -- Christoph Berg <myon@debian.org>  Tue, 11 Feb 2020 15:03:00 +0100

postgresql-9.4 (9.4.25-0+deb8u1) jessie-security; urgency=medium

  * New upstream version. This is the next-to-last release of the 9.4 series.
    Please upgrade to a newer PostgreSQL major version.
  * Register debconf templates in postinst. (Closes: #935759)

 -- Christoph Berg <myon@debian.org>  Mon, 18 Nov 2019 11:49:49 +0100

postgresql-9.4 (9.4.24-0+deb8u1) jessie-security; urgency=medium

  * New upstream security release.
    + Fixes regression in ALTER TABLE on multiple columns. (Closes: #932247)

    + Require schema qualification to cast to a temporary type when using
      functional cast syntax (Noah Misch)

      We have long required invocations of temporary functions to explicitly
      specify the temporary schema, that is pg_temp.func_name(args). Require
      this as well for casting to temporary types using functional notation,
      for example pg_temp.type_name(arg). Otherwise it's possible to capture a
      function call using a temporary object, allowing privilege escalation in
      much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)

  * Move maintainer address to tracker.
  * On purge, ask the user if they want to remove clusters.
    (Closes: #911940, #933368)

 -- Christoph Berg <myon@debian.org>  Thu, 08 Aug 2019 16:53:00 +0200

postgresql-9.4 (9.4.22-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.

 -- Christoph Berg <myon@debian.org>  Thu, 09 May 2019 10:04:31 +0200

postgresql-9.4 (9.4.21-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.
  * Revert upstream patch "Disallow setting client_min_messages higher than
    ERROR", it causes to much disruption to existing (test) scripts.

 -- Christoph Berg <christoph.berg@credativ.de>  Mon, 18 Feb 2019 12:00:44 +0100

postgresql-9.4 (9.4.20-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.

 -- Christoph Berg <christoph.berg@credativ.de>  Fri, 25 Jan 2019 09:12:38 +0100

postgresql-9.4 (9.4.19-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.
    + Fix failure to reset libpq's state fully between connection attempts

      An unprivileged user of dblink or postgres_fdw could bypass the checks
      intended to prevent use of server-side credentials, such as a ~/.pgpass
      file owned by the operating-system user running the server.  Servers
      allowing peer authentication on local connections are particularly
      vulnerable.  Other attacks such as SQL injection into a postgres_fdw
      session are also possible. Attacking postgres_fdw in this way requires
      the ability to create a foreign server object with selected connection
      parameters, but any user with access to dblink could exploit the
      problem. In general, an attacker with the ability to select the
      connection parameters for a libpq-using application could cause
      mischief, though other plausible attack scenarios are harder to think
      of. Our thanks to Andrew Krasichkov for reporting this issue.
      (CVE-2018-10915)

  * Add new pgtypes header and symbol.

 -- Christoph Berg <christoph.berg@credativ.de>  Mon, 06 Aug 2018 16:14:28 +0200

postgresql-9.4 (9.4.18-0+deb8u1) jessie; urgency=medium

  * New upstream version.
    + Fix incorrect volatility markings on a few built-in functions.

 -- Christoph Berg <myon@debian.org>  Tue, 08 May 2018 20:37:04 +0200

postgresql-9.4 (9.4.17-0+deb8u1) jessie; urgency=medium

  * New upstream version.

    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump.  After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    + Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user.  While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    + Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets.  To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under.  That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 27 Feb 2018 13:20:22 +0100

postgresql-9.4 (9.4.16-0+deb8u1) jessie; urgency=medium

  * New upstream version.
    + Ensure that all temporary files made by pg_upgrade are
      non-world-readable (CVE-2018-1053)

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 08 Feb 2018 10:34:39 +0100

postgresql-9.4 (9.4.15-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.

    + Fix crash due to rowtype mismatch in json{b}_populate_recordset()
      (Michael Paquier, Tom Lane)

      These functions used the result rowtype specified in the FROM ... AS
      clause without checking that it matched the actual rowtype of the
      supplied tuple value.  If it didn't, that would usually result in a
      crash, though disclosure of server memory contents seems possible as
      well. (CVE-2017-15098)

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 08 Nov 2017 15:27:38 +0100

postgresql-9.4 (9.4.14-0+deb8u1) jessie; urgency=medium

  * New upstream bugfix release.

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 05 Oct 2017 10:47:27 +0200

postgresql-9.4 (9.4.13-0+deb8u1) jessie-security; urgency=medium

  * New upstream security release.
    + Further restrict visibility of pg_user_mappings.umoptions, to protect
      passwords stored as user mapping options. See the release notes for
      instructions for applying the fix to existing database clusters.
      (CVE-2017-7547; extends fix for CVE-2017-7486)
    + Disallow empty passwords in all password-based authentication methods.
      (CVE-2017-7546)
    + Make lo_put() check for UPDATE privilege on the target large object.
      (CVE-2017-7548)

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 10 Aug 2017 14:37:53 +0200

postgresql-9.4 (9.4.12-0+deb8u1) jessie-security; urgency=medium

  * New upstream security release.
    + Restrict visibility of pg_user_mappings.umoptions, to protect passwords
      stored as user mapping options (CVE-2017-7486)
    + Prevent exposure of statistical information via leaky operators
      (CVE-2017-7484)
    + Restore libpq's recognition of the PGREQUIRESSL environment variable
      (CVE-2017-7485)

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 09 May 2017 17:00:48 +0200

postgresql-9.4 (9.4.11-0+deb8u2) jessie; urgency=medium

  * Paper over ULP regression test differences in the "point" test on
    32-bit powerpc on Debian Jessie. The very same code worked previously and
    in fact continues to work on Debian Sid, so it doesn't seem to be
    PostgreSQL's fault that these test results now suffer from rounding
    differences.

 -- Christoph Berg <christoph.berg@credativ.de>  Mon, 20 Feb 2017 16:04:26 +0100

postgresql-9.4 (9.4.11-0+deb8u1) jessie; urgency=medium

  * New upstream version.

    + Fix a race condition that could cause indexes built with CREATE INDEX
      CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)

      If CREATE INDEX CONCURRENTLY was used to build an index that depends on
      a column not previously indexed, then rows inserted or updated by
      transactions that ran concurrently with the CREATE INDEX command could
      have received incorrect index entries.  If you suspect this may have
      happened, the most reliable solution is to rebuild affected indexes
      after installing this update.

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 09 Feb 2017 15:24:57 +0100

postgresql-9.4 (9.4.10-0+deb8u1) jessie; urgency=medium

  * New upstream version.

    If your installation has been affected by the bug described in the first
    changelog entry below, then after updating you may need to take action to
    repair corrupted free space maps.

    + Fix WAL-logging of truncation of relation free space maps and visibility
      maps (Pavan Deolasee, Heikki Linnakangas)

      It was possible for these files to not be correctly restored during
      crash recovery, or to be written incorrectly on a standby server. Bogus
      entries in a free space map could lead to attempts to access pages that
      have been truncated away from the relation itself, typically producing
      errors like could not read block XXX: read only 0 of 8192 bytes.
      Checksum failures in the visibility map are also possible, if
      checksumming is enabled.

      Procedures for determining whether there is a problem and repairing it
      if so are discussed at
      https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 16 Nov 2016 15:39:27 +0100

postgresql-9.4 (9.4.9-0+deb8u1) jessie-security; urgency=medium

  * New upstream security release.

    + Fix possible mis-evaluation of nested CASE-WHEN expressions
      (Heikki Linnakangas, Michael Paquier, Tom Lane)

      A CASE expression appearing within the test value subexpression of
      another CASE could become confused about whether its own test value was
      null or not.  Also, inlining of a SQL function implementing the equality
      operator used by a CASE expression could result in passing the wrong
      test value to functions called within a CASE expression in the SQL
      function's body.  If the test values were of different data types, a
      crash might result; moreover such situations could be abused to allow
      disclosure of portions of server memory.  (CVE-2016-5423)

    + Fix client programs' handling of special characters in database and role
      names (Noah Misch, Nathan Bossart, Michael Paquier)

      Numerous places in vacuumdb and other client programs could become
      confused by database and role names containing double quotes or
      backslashes.  Tighten up quoting rules to make that safe. Also, ensure
      that when a conninfo string is used as a database name parameter to
      these programs, it is correctly treated as such throughout.

      Fix handling of paired double quotes in psql's \connect and \password
      commands to match the documentation.

      Introduce a new -reuse-previous option in psql's \connect command to
      allow explicit control of whether to re-use connection parameters from a
      previous connection.  (Without this, the choice is based on whether the
      database name looks like a conninfo string, as before.)  This allows
      secure handling of database names containing special characters in
      pg_dumpall scripts.

      pg_dumpall now refuses to deal with database and role names containing
      carriage returns or newlines, as it seems impractical to quote those
      characters safely on Windows.  In future we may reject such names on the
      server side, but that step has not been taken yet.

      These are considered security fixes because crafted object names
      containing special characters could have been used to execute commands
      with superuser privileges the next time a superuser executes pg_dumpall
      or other routine maintenance operations.  (CVE-2016-5424)

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 10 Aug 2016 13:36:18 +0200

postgresql-9.4 (9.4.8-0+deb8u1) jessie; urgency=medium

  * New upstream bugfix release.

 -- Christoph Berg <christoph.berg@credativ.de>  Fri, 27 May 2016 14:29:53 +0200

postgresql-9.4 (9.4.7-0+deb8u1) jessie; urgency=medium

  * New upstream bugfix release.
  * Remove obsolete .bzr-builddeb/default.conf.

 -- Christoph Berg <myon@debian.org>  Sat, 02 Apr 2016 13:22:58 +0200

postgresql-9.4 (9.4.6-0+deb8u1) jessie-security; urgency=medium

  * New upstream version.
    + Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)
    + Fix privilege escalation issue for users of PL/Java. Certain custom
      configuration settings (GUCs) for PL/Java will now be modifiable only by
      the database superuser. (CVE-2016-0766)
    + Users will need to reindex any jsonb_path_ops indexes they have created,
      in order to fix a persistent issue with missing index entries.

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 11 Feb 2016 15:17:44 +0100

postgresql-9.4 (9.4.5-0+deb8u1) jessie-security; urgency=medium

  * New upstream security release.

    + Guard against stack overflows in json parsing (Oskari Saarenmaa)

      If an application constructs PostgreSQL json or jsonb values from
      arbitrary user input, the application's users can reliably crash the
      PostgreSQL server, causing momentary denial of service.  (CVE-2015-5289)

    + Fix contrib/pgcrypto to detect and report too-short crypt() salts
      (Josh Kupershmidt)

      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory.  We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely.  (CVE-2015-5288)

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 08 Oct 2015 14:24:00 +0200

postgresql-9.4 (9.4.4-0+deb8u1) jessie; urgency=medium

  * New upstream version.
    + Fix possible failure to recover from an inconsistent database state
    + Fix rare failure to invalidate relation cache init file

 -- Christoph Berg <myon@debian.org>  Thu, 11 Jun 2015 20:35:19 +0200

postgresql-9.4 (9.4.3-0+deb8u1) jessie; urgency=medium

  * New upstream version:
    Avoid failures while fsync'ing data directory during crash restart
    (Abhijit Menon-Sen, Tom Lane; Closes: #786874)

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 03 Jun 2015 11:53:43 +0200

postgresql-9.4 (9.4.2-0+deb8u1) stable-security; urgency=medium

  * New upstream version.

    + Avoid possible crash when client disconnects just before the
      authentication timeout expires (Benkocs Norbert Attila)

      If the timeout interrupt fired partway through the session shutdown
      sequence, SSL-related state would be freed twice, typically causing a
      crash and hence denial of service to other sessions.  Experimentation
      shows that an unauthenticated remote attacker could trigger the bug
      somewhat consistently, hence treat as security issue. (CVE-2015-3165)

    + Improve detection of system-call failures (Noah Misch)

      Our replacement implementation of snprintf() failed to check for errors
      reported by the underlying system library calls; the main case that
      might be missed is out-of-memory situations. In the worst case this
      might lead to information exposure, due to our code assuming that a
      buffer had been overwritten when it hadn't been. Also, there were a few
      places in which security-relevant calls of other system library
      functions did not check for failure.

      It remains possible that some calls of the *printf() family of functions
      are vulnerable to information disclosure if an out-of-memory error
      occurs at just the wrong time.  We judge the risk to not be large, but
      will continue analysis in this area. (CVE-2015-3166)

    + In contrib/pgcrypto, uniformly report decryption failures as Wrong key
      or corrupt data (Noah Misch)

      Previously, some cases of decryption with an incorrect key could report
      other error message texts.  It has been shown that such variance in
      error reports can aid attackers in recovering keys from other systems.
      While it's unknown whether pgcrypto's specific behaviors are likewise
      exploitable, it seems better to avoid the risk by using a
      one-size-fits-all message. (CVE-2015-3167)

    + Protect against wraparound of multixact member IDs
      (Álvaro Herrera, Robert Haas, Thomas Munro)

      Under certain usage patterns, the existing defenses against this might
      be insufficient, allowing pg_multixact/members files to be removed too
      early, resulting in data loss.
      The fix for this includes modifying the server to fail transactions that
      would result in overwriting old multixact member ID data, and improving
      autovacuum to ensure it will act proactively to prevent multixact member
      ID wraparound, as it does for transaction ID wraparound.

  * Repository moved to git, update Vcs headers.

 -- Christoph Berg <christoph.berg@credativ.de>  Thu, 21 May 2015 15:58:30 +0200

postgresql-9.4 (9.4.1-1) unstable; urgency=medium

  * New upstream version.
    + libpq5: Name lookups fixed in minimal chroots (Closes: #756627)
    + Fix buffer overruns in to_char() (CVE-2015-0241)
    + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243)
    + Fix possible loss of frontend/backend protocol synchronization after an
      error (CVE-2015-0244)
    + Fix information leak via constraint-violation error messages
      (CVE-2014-8161)

 -- Christoph Berg <myon@debian.org>  Wed, 04 Feb 2015 17:55:28 +0100

postgresql-9.4 (9.4.0-1) unstable; urgency=medium

  * 9.4 released.
  * libpq5.symbols: PQhostaddr removed; it was new in 9.4.

 -- Christoph Berg <myon@debian.org>  Wed, 17 Dec 2014 22:21:22 +0100

postgresql-9.4 (9.4~rc1-1) unstable; urgency=medium

  * First 9.4 RC release.
  * Update psql call in dump-reload instructions.
  * Reenable 010_pg_basebackup.t tests, fixed upstream.

 -- Christoph Berg <myon@debian.org>  Tue, 18 Nov 2014 09:49:04 +0100

postgresql-9.4 (9.4~beta3-3) unstable; urgency=medium

  * Temporarily disable failing test in 010_pg_basebackup.t.

 -- Christoph Berg <myon@debian.org>  Thu, 16 Oct 2014 09:32:06 +0200

postgresql-9.4 (9.4~beta3-2) unstable; urgency=medium

  * postgresql-9.4.preinst: Output detailed dump-reload instructions when
    refusing the package upgrade, and also add a NEWS item about it.
    (Closes: #764705)
  * Add libipc-run-perl for the regression tests which otherwise skip large
    parts.
  * Update Standards-Version.

 -- Christoph Berg <myon@debian.org>  Wed, 15 Oct 2014 19:44:43 +0200

postgresql-9.4 (9.4~beta3-1) unstable; urgency=medium

  * New upstream beta version.
    + Catalog version number changed, older 9.4 clusters need to be dumped and
      reloaded.
    + Regexp regression fixed. (Closes: #760564)
    + CACHE_LINE_SIZE definition renamed to mitigate conflict on *BSD.
      (Closes: #763098)

  [ Martin Pitt ]
  * Add missing logrotate test dependency.

  [ Christoph Berg ]
  * Set Multi-Arch: foreign in postgresql-client-9.4 and postgresql-doc-9.4.
    (Closes: #757520; do it even on non-multiarch dists, it doesn't hurt.)
  * Fix postgresql_fdw in description, spotted by Zack Weinberg, thanks!
    (Closes: #762389)

 -- Christoph Berg <myon@debian.org>  Tue, 07 Oct 2014 20:39:57 +0200

postgresql-9.4 (9.4~beta2-1) unstable; urgency=low

  * New upstream beta version.
    + Secure Unix-domain sockets of temporary postmasters started during make
      check (Noah Misch)

      Any local user able to access the socket file could connect as the
      server's bootstrap superuser, then proceed to execute arbitrary code as
      the operating-system user running the test, as we previously noted in
      CVE-2014-0067. This change defends against that risk by placing the
      server's socket in a temporary, mode 0700 subdirectory of /tmp.

  * postgresql-9.4.preinst: Fail upgrade when upgrading from beta1, the
    catalog version changed. People should dump/remove their old clusters
    first.
  * Use util-linux' uuid lib as backend for the uuid-ossp extension
    (--with-uuid=e2fs).
  * Enable sepgsql (--with-selinux). On systems with libselinux1-dev < 2.1.10,
    this is automatically disabled.
  * Revert multiarch for libpq-dev and libecpg-dev. (Closes: #750111, #750112)
  * Remove our pg_regress patches to support --host=/path. Implemented
    upstream as fix for CVE-2014-0067.
  * debian/copyright: Say that there are various copyright holders for the
    contrib modules. (Hello Lintian!)
  * Update Vcs URLs.

 -- Christoph Berg <myon@debian.org>  Mon, 21 Jul 2014 22:26:24 +0200

postgresql-9.4 (9.4~beta1-2) experimental; urgency=medium

  * Update watch file for 9.4.
  * Enable multiarch support in libpq and friends. (Closes: #706849)
    Support is automatically disabled when the distribution does not support
    it.
  * Stop providing postgresql-dbg in postgresql-9.4-dbg. Its only purpose was
    to conflict with other postgresql-*-dbg packages, and that's no longer
    needed with build-id debug symbols.
  * Skip -pie on 32bit archs for performance and stability reasons.
    Closes: #749686; details at
    http://www.postgresql.org/message-id/20140519115318.GB7296@msgid.df7cb.de
  * Update contrib copyright statements, and move them to a separate file.
    Thanks to Thorsten Alteholz for reviewing the package.

 -- Christoph Berg <myon@debian.org>  Fri, 30 May 2014 20:09:50 +0200

postgresql-9.4 (9.4~beta1-1) experimental; urgency=low

  * Update for 9.4. Packaging based on 9.3 branch.
  * Bump to debhelper 9 to get debug symbol files based on build-ids.

 -- Christoph Berg <myon@debian.org>  Mon, 12 May 2014 22:08:37 +0200
