Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

postgresql: high-exposure security vulnerability

Related Vulnerabilities: CVE-2013-1899   CVE-2013-1900   CVE-2013-1901  

Source

Debian Bug report logs - #704479
postgresql: high-exposure security vulnerability

version graph

Package: postgresql-9.1; Maintainer for postgresql-9.1 is Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>;

Reported by: Hleb Valoshka <375gnu@gmail.com>

Date: Mon, 1 Apr 2013 17:33:01 UTC

Severity: critical

Tags: fixed-upstream, security

Fixed in versions postgresql-9.1/9.1.9-1, postgresql-9.1/9.1.9-0wheezy1

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, 375gnu@gmail.com, Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>:
Bug#704479; Package postgresql. (Mon, 01 Apr 2013 17:33:06 GMT) (full text, mbox, link).

Acknowledgement sent to Hleb Valoshka <375gnu@gmail.com>:
New Bug report received and forwarded. Copy sent to 375gnu@gmail.com, Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>.

Your message had a Version: pseudo-header with an invalid package version:

high-exposure security vulnerability

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Mon, 01 Apr 2013 17:33:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hleb Valoshka <375gnu@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: postgresql: high-exposure security vulnerability
Date: Mon, 01 Apr 2013 20:28:59 +0300
Package: postgresql
Version: high-exposure security vulnerability
Severity: normal

Dear Maintainer, there is excerpt from http://www.postgresql.org/about/news/1454/

Upcoming PostgreSQL Security Release: April 4, 2013
Posted on 2013-03-28

The PostgreSQL Global Development Group will be releasing a security update for all supported versions on Thursday April 4th, 2013. This release will include a fix for a high-exposure security vulnerability. All users are strongly urged to apply the update as soon as it is available.

We are providing this advance notice so that users may schedule an update of their production systems on or shortly after April 4th.

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=be_BY.UTF-8, LC_CTYPE=be_BY.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>:
Bug#704479; Package postgresql. (Mon, 01 Apr 2013 17:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Hleb Valoshka <375gnu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>. (Mon, 01 Apr 2013 17:39:03 GMT) (full text, mbox, link).

Message #10 received at 704479@bugs.debian.org (full text, mbox, reply):

From: Hleb Valoshka <375gnu@gmail.com>
To: 704479@bugs.debian.org
Subject: Re: Bug#704479: Acknowledgement (postgresql: high-exposure security vulnerability)
Date: Mon, 1 Apr 2013 20:37:39 +0300
tag -1 security
thanks

Added tag(s) security. Request was from Hleb Valoshka <375gnu@gmail.com> to control@bugs.debian.org. (Mon, 01 Apr 2013 17:45:06 GMT) (full text, mbox, link).

Bug reassigned from package 'postgresql' to 'postgresql-9.1'. Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Mon, 01 Apr 2013 19:27:10 GMT) (full text, mbox, link).

Added tag(s) pending and fixed-upstream. Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Tue, 02 Apr 2013 11:27:15 GMT) (full text, mbox, link).

Severity set to 'critical' from 'normal' Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Tue, 02 Apr 2013 11:27:18 GMT) (full text, mbox, link).

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. (Thu, 04 Apr 2013 13:51:14 GMT) (full text, mbox, link).

Notification sent to Hleb Valoshka <375gnu@gmail.com>:
Bug acknowledged by developer. (Thu, 04 Apr 2013 13:51:14 GMT) (full text, mbox, link).

Message #23 received at 704479-close@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>
To: 704479-close@bugs.debian.org
Subject: Bug#704479: fixed in postgresql-9.1 9.1.9-1
Date: Thu, 04 Apr 2013 13:49:37 +0000
Source: postgresql-9.1
Source-Version: 9.1.9-1

We believe that the bug you reported is fixed in the latest version of
postgresql-9.1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated postgresql-9.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 Apr 2013 10:26:14 +0200
Source: postgresql-9.1
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.1 postgresql-9.1-dbg postgresql-client-9.1 postgresql-server-dev-9.1 postgresql-doc-9.1 postgresql-contrib-9.1 postgresql-plperl-9.1 postgresql-plpython-9.1 postgresql-plpython3-9.1 postgresql-pltcl-9.1
Architecture: source amd64 all
Version: 9.1.9-1
Distribution: unstable
Urgency: high
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.1
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-9.1 - object-relational SQL database, version 9.1 server
 postgresql-9.1-dbg - debug symbols for postgresql-9.1
 postgresql-client-9.1 - front-end programs for PostgreSQL 9.1
 postgresql-contrib-9.1 - additional facilities for PostgreSQL
 postgresql-doc-9.1 - documentation for the PostgreSQL database management system
 postgresql-plperl-9.1 - PL/Perl procedural language for PostgreSQL 9.1
 postgresql-plpython-9.1 - PL/Python procedural language for PostgreSQL 9.1
 postgresql-plpython3-9.1 - PL/Python 3 procedural language for PostgreSQL 9.1
 postgresql-pltcl-9.1 - PL/Tcl procedural language for PostgreSQL 9.1
 postgresql-server-dev-9.1 - development files for PostgreSQL 9.1 server-side programming
Closes: 704479
Changes: 
 postgresql-9.1 (9.1.9-1) unstable; urgency=high
 .
   * Urgency high because of critical remote data destruction vulnerability.
   * New upstream security/bug fix release:
     - Fix insecure parsing of server command-line switches.
       A connection request containing a database name that begins with
       "-" could be crafted to damage or destroy files within the server's
       data directory, even if the request is eventually rejected.
       [CVE-2013-1899] (Closes: #704479)
     - Reset OpenSSL randomness state in each postmaster child process.
       This avoids a scenario wherein random numbers generated by
       "contrib/pgcrypto" functions might be relatively easy for another
       database user to guess. The risk is only significant when the
       postmaster is configured with ssl = on but most connections don't
       use SSL encryption. [CVE-2013-1900]
     - Make REPLICATION privilege checks test current user not
       authenticated user.
       An unprivileged database user could exploit this mistake to call
       pg_start_backup() or pg_stop_backup(), thus possibly interfering
       with creation of routine backups. [CVE-2013-1901]
     - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
       not appropriate to do so.
       The core geometric types perform comparisons using "fuzzy"
       equality, but gist_box_same must do exact comparisons, else GiST
       indexes using it might become inconsistent. After installing this
       update, users should "REINDEX" any GiST indexes on box, polygon,
       circle, or point columns, since all of these use gist_box_same.
     - Fix erroneous range-union and penalty logic in GiST indexes that
       use "contrib/btree_gist" for variable-width data types, that is
       text, bytea, bit, and numeric columns.
       These errors could result in inconsistent indexes in which some
       keys that are present would not be found by searches, and also in
       useless index bloat. Users are advised to "REINDEX" such indexes
       after installing this update.
     - Fix bugs in GiST page splitting code for multi-column indexes.
       These errors could result in inconsistent indexes in which some
       keys that are present would not be found by searches, and also in
       indexes that are unnecessarily inefficient to search. Users are
       advised to "REINDEX" multi-column GiST indexes after installing
       this update.
     - See HISTORY/changelog.gz for details about the other bug fixes.
   * Bump Standards-Version to 3.9.4 (no changes necessary).
Checksums-Sha1: 
 54286d9aac66d4bf0efe9c8e33b03c9cf3588f49 3319 postgresql-9.1_9.1.9-1.dsc
 4cbbfc5be9b8e6fe3d67c5075c212bcb057eac20 15815421 postgresql-9.1_9.1.9.orig.tar.bz2
 33700436b2dcddf0418e98e7c7079ffff6e38cd2 37114 postgresql-9.1_9.1.9-1.debian.tar.gz
 783a762683145051c23924b7dfde9e5422608425 580800 libpq-dev_9.1.9-1_amd64.deb
 4bcb8a01012e521ad144f078aa543cd7b0de12ec 527132 libpq5_9.1.9-1_amd64.deb
 d6d2c071f33b383cd7791b459bbf47b7692b0029 483620 libecpg6_9.1.9-1_amd64.deb
 32f911d451628d6bcb984880659d2892648925de 614122 libecpg-dev_9.1.9-1_amd64.deb
 f49f06b42a189a4d27913eca8ddfbcd0584a19e2 422076 libecpg-compat3_9.1.9-1_amd64.deb
 46465cae1f749e5e634f915ba35bd4b8e604004d 442654 libpgtypes3_9.1.9-1_amd64.deb
 35c766245bfe32dc3984b423521759d2bd287709 3619888 postgresql-9.1_9.1.9-1_amd64.deb
 0e8946c801a3e80d8576fc6418f2d28190506d02 7137884 postgresql-9.1-dbg_9.1.9-1_amd64.deb
 af8fefc9a51f0ef543682d76fb159061d43e434c 1384696 postgresql-client-9.1_9.1.9-1_amd64.deb
 8db8563867f1975154af946a6c23aa6c7c0fd798 939864 postgresql-server-dev-9.1_9.1.9-1_amd64.deb
 aae813c0b5603cf90aa2101bbaf2d34933b469c9 2008722 postgresql-doc-9.1_9.1.9-1_all.deb
 39e3a3dd5227503cf58aad070822d08f22e63d77 752720 postgresql-contrib-9.1_9.1.9-1_amd64.deb
 a44784fcd2941f7c09c897b893858de8073f3ddc 461570 postgresql-plperl-9.1_9.1.9-1_amd64.deb
 b453c387b0aa63fcfed42c8f87fc439d4575174e 445772 postgresql-plpython-9.1_9.1.9-1_amd64.deb
 600c5930efd879c53d15721965fdcef8e8f898d7 445570 postgresql-plpython3-9.1_9.1.9-1_amd64.deb
 e09dd3374eeb72f1b7f7918e06ecfc9bf3c9bab7 435910 postgresql-pltcl-9.1_9.1.9-1_amd64.deb
Checksums-Sha256: 
 49664a2e061398e318ce44b5b9ae8da601e1abf99d4024256ced86106b99224a 3319 postgresql-9.1_9.1.9-1.dsc
 28a533e181009308722e8b3c51f1ea7224ab910c380ac1a86f07118667602dd8 15815421 postgresql-9.1_9.1.9.orig.tar.bz2
 9c294469b01adcff8c9610856f8a7205efb96e98921cd5fba30230322f91e238 37114 postgresql-9.1_9.1.9-1.debian.tar.gz
 e631870075e0ca0c76727f22fdcf10406dbcbd97e4c440fffc329b8aee8eb9dd 580800 libpq-dev_9.1.9-1_amd64.deb
 c45e9b49b99d1082414c9a939bd10f883372ae95bfa599c8576e26e9b00e72ff 527132 libpq5_9.1.9-1_amd64.deb
 6b9482da9c9b00bc36a290d886a9d7f8ef716490af5422c74903d46072bb6a42 483620 libecpg6_9.1.9-1_amd64.deb
 bef38aa7cc4b9df73d2fe5255f794bc6ce831e312c0796d88297f5dc0fb6c641 614122 libecpg-dev_9.1.9-1_amd64.deb
 a71ac2bcf729418c59bfd2d3ad501317d640fe22d940aa4745b1315a9f123261 422076 libecpg-compat3_9.1.9-1_amd64.deb
 43f8afea66ec810c955d5bf7b9b5d7ac659399e3965fd0cfe752403c91bd6f3a 442654 libpgtypes3_9.1.9-1_amd64.deb
 2b7c1739df16eec625739b2617cb778393a73c18bcf264c995b3e04c7447fa75 3619888 postgresql-9.1_9.1.9-1_amd64.deb
 a944b8c259555dd2a3507827d7525d3416fc78b35891d19987909b7c71f319f0 7137884 postgresql-9.1-dbg_9.1.9-1_amd64.deb
 ba0282edde59aec222ffac03cf57547f3da6e39c391432d66052c9f89c37bb62 1384696 postgresql-client-9.1_9.1.9-1_amd64.deb
 ba9926e459227e3b5728f49128049be88c733b45bf860779892d941f296bd7f9 939864 postgresql-server-dev-9.1_9.1.9-1_amd64.deb
 a9444af66120703b1f5aad80f0c061c3edc9e19c734138c9453d7fd1d965f3fe 2008722 postgresql-doc-9.1_9.1.9-1_all.deb
 911479988637533e03c681335bf22bfdf5384eb7024c89d7053bb85605e0643a 752720 postgresql-contrib-9.1_9.1.9-1_amd64.deb
 4bea6518ab6a0074d17d55701ad30075b92f6ebd69e2009c816985d699cc7211 461570 postgresql-plperl-9.1_9.1.9-1_amd64.deb
 1edc8f4f8fa82b614b38f21e048681cdf032f80d496ea7aa1db26d8526a8f5c7 445772 postgresql-plpython-9.1_9.1.9-1_amd64.deb
 33093b5c5888a3ebf26528cf5544423f76fe19b4aa9fde2d1641a9701d96e648 445570 postgresql-plpython3-9.1_9.1.9-1_amd64.deb
 74e2d2fc34ed17234bc7780d6a500facababe75f5581890f804ab72763edab2c 435910 postgresql-pltcl-9.1_9.1.9-1_amd64.deb
Files: 
 95da5776e121c6d67e308cb275a836b4 3319 database optional postgresql-9.1_9.1.9-1.dsc
 6b5ea53dde48fcd79acfc8c196b83535 15815421 database optional postgresql-9.1_9.1.9.orig.tar.bz2
 4e98d63cd37afa1cc2c17464d6c357a3 37114 database optional postgresql-9.1_9.1.9-1.debian.tar.gz
 72f67278056fc3648f8dc30831a8eca8 580800 libdevel optional libpq-dev_9.1.9-1_amd64.deb
 af596f37cb3c848508435a4c8082df37 527132 libs optional libpq5_9.1.9-1_amd64.deb
 e454dce7501715ca5c87fad70794e226 483620 libs optional libecpg6_9.1.9-1_amd64.deb
 3042726434cd8e68f0c8c72e9196b4b8 614122 libdevel optional libecpg-dev_9.1.9-1_amd64.deb
 d1539f7c99db8e3c57e6203e3ab6b796 422076 libs optional libecpg-compat3_9.1.9-1_amd64.deb
 cb20f62bc2e0bd9f50737377832d860e 442654 libs optional libpgtypes3_9.1.9-1_amd64.deb
 eaffb680c8905ecf0249cae84307f69c 3619888 database optional postgresql-9.1_9.1.9-1_amd64.deb
 a7303e1d2a6e2c5ba83985cb1815daf9 7137884 debug extra postgresql-9.1-dbg_9.1.9-1_amd64.deb
 2bb1563d9eaaf0c3d3456214c90740c0 1384696 database optional postgresql-client-9.1_9.1.9-1_amd64.deb
 e4f43883101178d186b71ac196429dac 939864 libdevel optional postgresql-server-dev-9.1_9.1.9-1_amd64.deb
 06f053cf1e6f788645df4e202e5207a8 2008722 doc optional postgresql-doc-9.1_9.1.9-1_all.deb
 17f6d662561f5f885705703aaf1ef55f 752720 database optional postgresql-contrib-9.1_9.1.9-1_amd64.deb
 27596d541fdb9c7bc61ad959b8901b39 461570 database optional postgresql-plperl-9.1_9.1.9-1_amd64.deb
 425c81b851dd20beb6d8c63ac01e2a26 445772 database optional postgresql-plpython-9.1_9.1.9-1_amd64.deb
 caa9964617beb009dc2142350dbd1c70 445570 database optional postgresql-plpython3-9.1_9.1.9-1_amd64.deb
 6b806f7e776e750a263eca22cd6d17f5 435910 database optional postgresql-pltcl-9.1_9.1.9-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRWprWAAoJEPmIJawmtHufsEMQALzZTLnnc5hTDhnoRpynWKEd
jzntktCKLh4KWFUOBBtbHS68GxBZM9vtn281sU01IRAdVyJm1WGmsDj2pm3y98YT
kALLrTS1PtaTt9CDmwRNrvLUgaWSBpmPuaIqXXJ/1AB9H1jUEChJDIJ4hZuQug30
PiUycR2URxrWuqpHQYLBu1pulyMnCBUJQhVqX9rZbKswiV0RtGGu20Sfd7ba2pha
aIR0Z8O27QXLP8Ajz8dsqAMIIFMKW4S1HZF3FyStMyYIA08cisoFQzNdl6LGyIBB
2+9iZYvCEOvKmDqiQtXOic6gsvPGBKe6/0YQBA20oXnyDgRhC6/m7LZIzPR2QIAN
/iVIosKI8PY5cXETKY1wvqrDinsDh4+JUn8UW38ARNw1lYiUXuOkJAdAxvPFU8hM
CxVUS3pcyTD1kq4iCoj8XX1IrJcUX3n67U8rWKpLfyJff8gsbrth0WZ/pVH4oPrr
tzx2iBj5ib5BeBD6uE1bM62CsBHQk/py1LTrJrf4jB8jzYG6Fzavx9KlWqi3dpUU
AqhlBkfBalI0GHg0EoWSSUcAUH3dsFDjEISY3bCfbdH8K9gcUeH/9ag52TSY4iAd
okAVq5qqpLl1t0mHYS56BlRcR7wB7HDda56BFlHftwrHsSYpTmptcMGWqFl1lsvd
BEBzxl8hiy4el64WpzKq
=l65+
-----END PGP SIGNATURE-----

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. (Thu, 04 Apr 2013 14:51:10 GMT) (full text, mbox, link).

Notification sent to Hleb Valoshka <375gnu@gmail.com>:
Bug acknowledged by developer. (Thu, 04 Apr 2013 14:51:10 GMT) (full text, mbox, link).

Message #28 received at 704479-close@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>
To: 704479-close@bugs.debian.org
Subject: Bug#704479: fixed in postgresql-9.1 9.1.9-0wheezy1
Date: Thu, 04 Apr 2013 14:49:46 +0000
Source: postgresql-9.1
Source-Version: 9.1.9-0wheezy1

We believe that the bug you reported is fixed in the latest version of
postgresql-9.1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated postgresql-9.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 02 Apr 2013 10:26:14 +0200
Source: postgresql-9.1
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-9.1 postgresql-9.1-dbg postgresql-client-9.1 postgresql-server-dev-9.1 postgresql-doc-9.1 postgresql-contrib-9.1 postgresql-plperl-9.1 postgresql-plpython-9.1 postgresql-plpython3-9.1 postgresql-pltcl-9.1
Architecture: source amd64 all
Version: 9.1.9-0wheezy1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 9.1
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql-9.1 - object-relational SQL database, version 9.1 server
 postgresql-9.1-dbg - debug symbols for postgresql-9.1
 postgresql-client-9.1 - front-end programs for PostgreSQL 9.1
 postgresql-contrib-9.1 - additional facilities for PostgreSQL
 postgresql-doc-9.1 - documentation for the PostgreSQL database management system
 postgresql-plperl-9.1 - PL/Perl procedural language for PostgreSQL 9.1
 postgresql-plpython-9.1 - PL/Python procedural language for PostgreSQL 9.1
 postgresql-plpython3-9.1 - PL/Python 3 procedural language for PostgreSQL 9.1
 postgresql-pltcl-9.1 - PL/Tcl procedural language for PostgreSQL 9.1
 postgresql-server-dev-9.1 - development files for PostgreSQL 9.1 server-side programming
Closes: 704479
Changes: 
 postgresql-9.1 (9.1.9-0wheezy1) wheezy-security; urgency=high
 .
   * New upstream security/bug fix release:
     - Fix insecure parsing of server command-line switches.
       A connection request containing a database name that begins with
       "-" could be crafted to damage or destroy files within the server's
       data directory, even if the request is eventually rejected.
       [CVE-2013-1899] (Closes: #704479)
     - Reset OpenSSL randomness state in each postmaster child process.
       This avoids a scenario wherein random numbers generated by
       "contrib/pgcrypto" functions might be relatively easy for another
       database user to guess. The risk is only significant when the
       postmaster is configured with ssl = on but most connections don't
       use SSL encryption. [CVE-2013-1900]
     - Make REPLICATION privilege checks test current user not
       authenticated user.
       An unprivileged database user could exploit this mistake to call
       pg_start_backup() or pg_stop_backup(), thus possibly interfering
       with creation of routine backups. [CVE-2013-1901]
     - Fix GiST indexes to not use "fuzzy" geometric comparisons when it's
       not appropriate to do so.
       The core geometric types perform comparisons using "fuzzy"
       equality, but gist_box_same must do exact comparisons, else GiST
       indexes using it might become inconsistent. After installing this
       update, users should "REINDEX" any GiST indexes on box, polygon,
       circle, or point columns, since all of these use gist_box_same.
     - Fix erroneous range-union and penalty logic in GiST indexes that
       use "contrib/btree_gist" for variable-width data types, that is
       text, bytea, bit, and numeric columns.
       These errors could result in inconsistent indexes in which some
       keys that are present would not be found by searches, and also in
       useless index bloat. Users are advised to "REINDEX" such indexes
       after installing this update.
     - Fix bugs in GiST page splitting code for multi-column indexes.
       These errors could result in inconsistent indexes in which some
       keys that are present would not be found by searches, and also in
       indexes that are unnecessarily inefficient to search. Users are
       advised to "REINDEX" multi-column GiST indexes after installing
       this update.
     - See HISTORY/changelog.gz for details about the other bug fixes.
Checksums-Sha1: 
 329ea3bb4e9d5a2b69f9b4d499ab2f0fc4a87c48 3347 postgresql-9.1_9.1.9-0wheezy1.dsc
 4cbbfc5be9b8e6fe3d67c5075c212bcb057eac20 15815421 postgresql-9.1_9.1.9.orig.tar.bz2
 bdb7c6dbea7a87d4a50651dc76149f87d13cf949 36861 postgresql-9.1_9.1.9-0wheezy1.debian.tar.gz
 4812c143db916646860f0df45e1ccf7c9d1fda38 580860 libpq-dev_9.1.9-0wheezy1_amd64.deb
 ae483da3055866e42a4d8977e4d7ca4e7c7ded45 526794 libpq5_9.1.9-0wheezy1_amd64.deb
 bd285c47712287e0fa0acf8e13f3df0f1fe8d446 483512 libecpg6_9.1.9-0wheezy1_amd64.deb
 853c02567e4e0c93dc1ffb6d26032edfa8ff9584 614132 libecpg-dev_9.1.9-0wheezy1_amd64.deb
 05532bf9a259dd3ebf5d96bf2da7cd91bee9861d 422036 libecpg-compat3_9.1.9-0wheezy1_amd64.deb
 05fcff80b4e5b21361d100d4509e9a4cd325da7a 442628 libpgtypes3_9.1.9-0wheezy1_amd64.deb
 1f6a6a86fdeedf96ad2eb2378b35efc66f8f081f 3617308 postgresql-9.1_9.1.9-0wheezy1_amd64.deb
 6a5a2fb6b0cf7a2a5b26cb8860ccf3e9633d1399 7135756 postgresql-9.1-dbg_9.1.9-0wheezy1_amd64.deb
 7acf700364dfe8787e4d76b205b564fae0aef65c 1384800 postgresql-client-9.1_9.1.9-0wheezy1_amd64.deb
 f2cae2e6c3d3274a7c6f0b76dcb462dc947beb30 939854 postgresql-server-dev-9.1_9.1.9-0wheezy1_amd64.deb
 e1d9102b3b4e03728d251cf11f9f5ae399e2ab1c 2008802 postgresql-doc-9.1_9.1.9-0wheezy1_all.deb
 4c7ea1a80e17ac250418c99f6432febd81df6b6c 752788 postgresql-contrib-9.1_9.1.9-0wheezy1_amd64.deb
 769ad1571dfff5886547719a97f9f92a8992a1aa 461456 postgresql-plperl-9.1_9.1.9-0wheezy1_amd64.deb
 c9d6e14d2515b2beb42882e595a51c28cfd811ac 445808 postgresql-plpython-9.1_9.1.9-0wheezy1_amd64.deb
 6108bffa90c759b4e8321a5e817667533b6e13c9 445560 postgresql-plpython3-9.1_9.1.9-0wheezy1_amd64.deb
 7eed69d09d358d5bde444417c7223b57952a44ac 435904 postgresql-pltcl-9.1_9.1.9-0wheezy1_amd64.deb
Checksums-Sha256: 
 d9f69d12c3ee925951a129ce0649d7cf4e52914e3ebb4dc8f6c5e6e8b7976846 3347 postgresql-9.1_9.1.9-0wheezy1.dsc
 28a533e181009308722e8b3c51f1ea7224ab910c380ac1a86f07118667602dd8 15815421 postgresql-9.1_9.1.9.orig.tar.bz2
 6fb03f00559a50d7578ddf2016e101e6de5158b38eca61c8fc3925c0da0082c4 36861 postgresql-9.1_9.1.9-0wheezy1.debian.tar.gz
 7d142d30786556ca04da03c1afa9cc306aac39e4759fb75f88713044afa45a74 580860 libpq-dev_9.1.9-0wheezy1_amd64.deb
 5b09cab443f293778be3c4ef205a7eb0a64c9a83d9d7329e361b5db9ed5e6ae4 526794 libpq5_9.1.9-0wheezy1_amd64.deb
 db0d0280917534e2b5adf570cdc6dc11ea22478cf94199e3c7fb7c2de72e0af2 483512 libecpg6_9.1.9-0wheezy1_amd64.deb
 b175f6df08f6539be942a9afced5257d2488ef7e9401d5dee48ca9d75aec8289 614132 libecpg-dev_9.1.9-0wheezy1_amd64.deb
 fc38d978093f2c49ad929d8dfc035f113da8c1186f2e797679836c5ebef7a1b5 422036 libecpg-compat3_9.1.9-0wheezy1_amd64.deb
 a7b9ab737b84c9642ccfae1e68f1d96a28231cd1f6b1adde0abc7f5dd3dffbe4 442628 libpgtypes3_9.1.9-0wheezy1_amd64.deb
 f557ef393ea24be235fc5b7590010d10c148e582a6cb030cdf575e6d7bf03c4f 3617308 postgresql-9.1_9.1.9-0wheezy1_amd64.deb
 78a19c14bff2b1ee23053e72d76b9313101f831caf2bbbdd992c23c6e4498092 7135756 postgresql-9.1-dbg_9.1.9-0wheezy1_amd64.deb
 70a8bd32f2db02e31caa87ff990cb7d5365d79d7ab375facfc8214674f99a729 1384800 postgresql-client-9.1_9.1.9-0wheezy1_amd64.deb
 491e32e8ec53298fedb8874cb67a086abab2dd9bf27715f605549264f4537dcb 939854 postgresql-server-dev-9.1_9.1.9-0wheezy1_amd64.deb
 bf7a86c59ed37b36ea66a10db4d91ed46371f8b9565f49bd9523637c92ad6615 2008802 postgresql-doc-9.1_9.1.9-0wheezy1_all.deb
 c734b4ecc015fdd85a03e33b55324cc149ffb01b5746a3127850e463cce2b099 752788 postgresql-contrib-9.1_9.1.9-0wheezy1_amd64.deb
 e49bff37fe236da322f42c3d9523f2110529b6f456e8809739a68a249c5d9ef1 461456 postgresql-plperl-9.1_9.1.9-0wheezy1_amd64.deb
 20ea03a1bd586b7c602bc7f90933e02807ca44da3194c77ce754f8ed6fe3b022 445808 postgresql-plpython-9.1_9.1.9-0wheezy1_amd64.deb
 5d18597a35c93ce8927456f62d55a67c63565c9430e0f1613d6e5e2bb4c4a1bb 445560 postgresql-plpython3-9.1_9.1.9-0wheezy1_amd64.deb
 a60cb3404ecfaf0e369b99454c88e6cd0876be0169dbf120a03151e07e7ddfc0 435904 postgresql-pltcl-9.1_9.1.9-0wheezy1_amd64.deb
Files: 
 747982e9e538226e0bb99a4e9b4b1d63 3347 database optional postgresql-9.1_9.1.9-0wheezy1.dsc
 6b5ea53dde48fcd79acfc8c196b83535 15815421 database optional postgresql-9.1_9.1.9.orig.tar.bz2
 7a8c542465d4bf44fb88caf60c51a597 36861 database optional postgresql-9.1_9.1.9-0wheezy1.debian.tar.gz
 1c14a92b2a3545b0259f5c13d85b612e 580860 libdevel optional libpq-dev_9.1.9-0wheezy1_amd64.deb
 e3f4cd9c34b6b74b87da568fac778f5a 526794 libs optional libpq5_9.1.9-0wheezy1_amd64.deb
 b2917f52cf3919756d7cc5e5ca9d3ff2 483512 libs optional libecpg6_9.1.9-0wheezy1_amd64.deb
 20961674adaf4f6d00a6ae37f50c5094 614132 libdevel optional libecpg-dev_9.1.9-0wheezy1_amd64.deb
 27ca9e165e50cc45e8f071e0d99a99cc 422036 libs optional libecpg-compat3_9.1.9-0wheezy1_amd64.deb
 37faecc2e6306033ba002f354de6a371 442628 libs optional libpgtypes3_9.1.9-0wheezy1_amd64.deb
 0aca67c21750f49ace4eefb48162af1e 3617308 database optional postgresql-9.1_9.1.9-0wheezy1_amd64.deb
 6208d209eb409ad1eb5b1561f44dafdc 7135756 debug extra postgresql-9.1-dbg_9.1.9-0wheezy1_amd64.deb
 41e70ceb6addf66eae31d404979b3e54 1384800 database optional postgresql-client-9.1_9.1.9-0wheezy1_amd64.deb
 0abef58d61a63329288ee1b55a888b47 939854 libdevel optional postgresql-server-dev-9.1_9.1.9-0wheezy1_amd64.deb
 ab90e76c26df4d86f86a2856fad6208c 2008802 doc optional postgresql-doc-9.1_9.1.9-0wheezy1_all.deb
 3b2f13e8ded5eb9115be68fcce7c1441 752788 database optional postgresql-contrib-9.1_9.1.9-0wheezy1_amd64.deb
 10cd594c3d8a264dbf7649a762565c18 461456 database optional postgresql-plperl-9.1_9.1.9-0wheezy1_amd64.deb
 126d44524b72956142848a2d5f172c90 445808 database optional postgresql-plpython-9.1_9.1.9-0wheezy1_amd64.deb
 4b1dd12a5a3d5ad119f7948237c219d0 445560 database optional postgresql-plpython3-9.1_9.1.9-0wheezy1_amd64.deb
 b164acd5e76ae59c7f983e57b33598f9 435904 database optional postgresql-pltcl-9.1_9.1.9-0wheezy1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRWwXfAAoJEPmIJawmtHufIdoP/3bAr36gEPKMQxFGzARU0M25
ZSZdTm7uf2u8Ur/FmwlEYZQRMMbvimljdxOFUIQSX+h+VIs2GHaPoY0nqRiUKj+c
Ph80QaUi7rk5mtEaN6xwFhGZfZmdZICzsKe3v2Ld1itPitteIDqTKYpfcyVu9kPv
hlBia47MFsmpAtixm0BpAzI3bLbKOP2Dqfxy0DcW3g6MvgG97t4hcY9scW0RaMOi
T0Oc7JLvX7W98/pwaG6mu+aaHMI9XGMRUFi5mh+iV9EJ4tn+ae0PFD3u9V0jiDoG
M0plQ8mfzF8tmW7wPhyo6Aqdhs5cc6SBTsz7RjxYASGIf7s1sXQ9EsdPCP5JJwsi
/+Qh5pOWT7LziQbWFmAmA0H9DXdLfuFuhFYVbFEjYlqREjLXkXJmN+PBg6TFRnBB
cbqvZQ65vPTMisCsU8ppaOe3Cza0VdDBcCEsXLwxxJ1pmTvsVuCSEbOOss9GRYkI
cc8KiQ5u4dIKAlocZb3fYJN4ax097PO+WhkF3LjxAW+axi50H5Nn2RpNh+1Px4wR
65VI/wisSsCvuLtXDcJZovWfG0froHnYYxS0Si4rVqnvLlDg7/JKiHLuxAxAAGjT
6FXVq0Vg6Efj8cvlCHs/UcwNKoNuvn9l7u3YWX27i0V7Hzv3qLdsRxqDi5984fE/
X7JTShyrZQ+uss3paFv4
=bsRR
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Aug 2013 07:30:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:27:24 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started