group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1752271] Re: New upstream microreleases 9.3.22, 9.5.12, 9.6.8 and 10.3

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1752271@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Mar 2018 08:34:22 -0000
Reply-to: Bug 1752271 <1752271@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package postgresql-9.5 - 9.5.12-0ubuntu0.16.04

---------------
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump.  After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets.  To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under.  That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.5/static/release-9-5-12.html

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Wed, 28 Feb
2018 09:59:08 +0100

** Changed in: postgresql-9.5 (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1752271

Title:
  New upstream microreleases 9.3.22, 9.5.12, 9.6.8 and 10.3

Status in postgresql-10 package in Ubuntu:
  Triaged
Status in postgresql-9.3 package in Ubuntu:
  Invalid
Status in postgresql-9.5 package in Ubuntu:
  Invalid
Status in postgresql-9.6 package in Ubuntu:
  Invalid
Status in postgresql-9.3 source package in Trusty:
  Fix Released
Status in postgresql-9.5 source package in Xenial:
  Fix Released
Status in postgresql-9.6 source package in Artful:
  Fix Released
Status in postgresql-10 source package in Bionic:
  Triaged

Bug description:
  Postgresql stable update

  Note: this is an unusual schedule, but this is about a fix for a (not
  yet published) security fix. But the disclosure didn't align with the
  common releases.

  Note: this time in the initial release there were build errors (on
  windows), so this is already based on the rerolled upstream tarballs

  Current versions in supported releases:
   postgresql-9.3 | 9.3.21-0ubuntu0.14.04 trusty
   postgresql-9.5 | 9.5.11-0ubuntu0.16.04 xenial
   postgresql-9.6 | 9.6.7-0ubuntu0.17.10  artful
   postgresql-10  | 10.2-1                bionic

  Special cases:
  - Bionic will be synced from Debian which usually releases fast.
    So no Bionic upload.
  - This is again a security update, so while we want to bundle postrges-common
    fixes for some dep8 tests, this is not the "normal" SRU we will do so

  Last related stable updates: 9.3.22, 9.5.12, 9.6.8, 10.3

  So the todo is to pick:
  MRE: Trusty 9.3.22 from https://borka.postgresql.org/staging/70f3461f2a455731e6f3d11e313840be0b48cf00/postgresql-9.3.22.tar.gz
  MRE: Xenial 9.5.12 from https://borka.postgresql.org/staging/70f3461f2a455731e6f3d11e313840be0b48cf00/postgresql-9.5.12.tar.gz                    
  Sync: Artful 9.6.8 from https://borka.postgresql.org/staging/70f3461f2a455731e6f3d11e313840be0b48cf00/postgresql-9.6.8.tar.gz

  Standing MRE - Consider last updates as template:
  - pad.lv/1637236
  - pad.lv/1664478
  - pad.lv/1690730
  - pad.lv/1713979
  - pad.lv/1730661
  - pad.lv/1747676

  As usual we test and prep from the PPA and then add the NEWS/Upgrade
  Info link once available for the final upload (Annoucnment is Thursday
  1st of March).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgresql-10/+bug/1752271/+subscriptions