New Debian postgresql-9.6 9.6.17-0+deb9u1 fixes: This update addresses the following issue: * 9.6.16-0+deb9u1 (Mon, 18 Nov 2019 11:25:55 +0100) * New upstream version. * 9.6.16-0+deb9u1 (Mon, 18 Nov 2019 11:25:55 +0100) * New upstream version. * 9.6.16-0+deb9u1 (Mon, 18 Nov 2019 11:25:55 +0100) * New upstream version. * 9.6.16-0+deb9u1 (Mon, 18 Nov 2019 11:25:55 +0100) * New upstream version. * 9.6.16-0+deb9u1 (Mon, 18 Nov 2019 11:25:55 +0100) * New upstream version. * postgresql-9.6 (CVE-2020-1720)
--- mirror/ftp/4.3/unmaintained/4.3-5/source/postgresql-9.6_9.6.15-0+deb9u1.dsc +++ apt/ucs_4.3-0-errata4.3-5/source/postgresql-9.6_9.6.17-0+deb9u1.dsc @@ -1,3 +1,18 @@ +9.6.17-0+deb9u1 [Tue, 11 Feb 2020 14:31:19 +0100] Christoph Berg <myon@debian.org>: + + * New upstream version. + + Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. + + Marking an object as dependent on an extension did not have any + privilege check whatsoever. This oversight allowed any user to mark + routines, triggers, materialized views, or indexes as droppable by + anyone able to drop an extension. Require that the calling user own the + specified object (and hence have privilege to drop it). (CVE-2020-1720) + +9.6.16-0+deb9u1 [Mon, 18 Nov 2019 11:25:55 +0100] Christoph Berg <myon@debian.org>: + + * New upstream version. + 9.6.15-0+deb9u1 [Thu, 08 Aug 2019 15:55:21 +0200] Christoph Berg <myon@debian.org>: * New upstream security release. <http://10.200.17.11/4.3-5/#5206621135469462871>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-5] bb2893215e Bug #50914: postgresql-9.6 9.6.17-0+deb9u1 doc/errata/staging/postgresql-9.6.yaml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) [4.3-5] a6b8d8e9db Bug #50914: postgresql-9.6 9.6.17-0+deb9u1 doc/errata/staging/postgresql-9.6.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
<http://errata.software-univention.de/ucs/4.3/650.html>