Package "libpq-dev"

  postgresql-10 (10.23-0ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: CREATE SCHEMA ... schema_element defeats protective
    search_path changes
    - debian/patches/CVE-2023-2454-1.patch: replace last
      PushOverrideSearchPath() call with set_config_option() in
      src/backend/catalog/namespace.c, src/backend/commands/schemacmds.c,
      src/test/regress/expected/namespace.out,
      src/test/regress/sql/namespace.sql.
    - debian/patches/CVE-2023-2454-2.patch: adjust sepgsql expected output
      for 681d9e462 et al in contrib/sepgsql/expected/ddl.out.
    - CVE-2023-2454
  * SECURITY UPDATE: Row security policies disregard user ID changes after
    inlining
    - debian/patches/CVE-2023-2455.patch: handle RLS dependencies in
      inlined set-returning functions properly in
      src/backend/optimizer/util/clauses.c,
      src/test/regress/expected/rowsecurity.out,
      src/test/regress/sql/rowsecurity.sql.
    - CVE-2023-2455

 -- Marc Deslauriers <email address hidden> Tue, 23 May 2023 11:07:52 -0400

  postgresql-10 (10.22-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * New upstream version (LP: #1984012).

    + A dump/restore is not required for those running 10.X.

    + Also, if you are upgrading from a version earlier than 10.19, see
      those release notes as well please.

    + Do not let extension scripts replace objects not already belonging
      to the extension (Tom Lane).
      (CVE-2022-2625)

    + Fix permissions checks in CREATE INDEX (Nathan Bossart,
      Noah Misch).

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/release-10-22.html

 -- Athos Ribeiro <email address hidden> Thu, 11 Aug 2022 16:54:48 -0300

  postgresql-10 (10.21-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * New upstream version (LP: #1973627).

    + A dump/restore is not required for those running 10.X.

    + However, if you are upgrading from a version earlier than 10.19, see
      those release notes as well please.

    + Confine additional operations within "security restricted operation"
      sandboxes (Sergey Shinderuk, Noah Misch).

      Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW,
      and pg_amcheck activated the "security restricted operation" protection
      mechanism too late, or even not at all in some code paths. A user having
      permission to create non-temporary objects within a database could
      define an object that would execute arbitrary SQL code with superuser
      permissions the next time that autovacuum processed the object, or that
      some superuser ran one of the affected commands against it.

      The PostgreSQL Project thanks Alexander Lakhin for reporting this
      problem.
      (CVE-2022-1552)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/release-10-21.html

 -- Sergio Durigan Junior <email address hidden> Tue, 17 May 2022 21:58:23 -0400

  postgresql-10 (10.19-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * New upstream version (LP: #1950268).

    + Make the server reject extraneous data after an SSL or GSS
      encryption handshake
      CVE-2021-23214

    + Make libpq reject extraneous data after an SSL or GSS
      encryption handshake
      CVE-2021-23222

    + A dump/restore is not required for those running 10.X.

    + However, note that installations using physical replication should
      update standby servers before the primary server, details in the
      release notes linked below.

    + Also, several bugs have been found that may have resulted in corrupted
      indexes, explained in detail in the release notes linked below. If any
      of those cases apply to you, it's recommended to reindex
      possibly-affected indexes after updating.

    + Also, if you are upgrading from a version earlier than 10.16,
      see those release notes as well please.

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/release-10-19.html

 -- Christian Ehrhardt <email address hidden> Tue, 09 Nov 2021 09:39:50 +0100

  postgresql-10 (10.18-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * New upstream version (LP: #1939396).

    + Disallow SSL renegotiation more completely (Michael Paquier)

      SSL renegotiation has been disabled for some time, but the server
      would still cooperate with a client-initiated renegotiation request.
      A maliciously crafted renegotiation request could result in a server
      crash (see OpenSSL issue CVE-2021-3449). Disable the feature
      altogether on OpenSSL versions that permit doing so, which are
      1.1.0h and newer.
      (CVE-2021-3449)

    + Details about these and many further changes can be found at:
      https://www.postgresql.org/docs/10/release-10-18.html

    + d/p/reproducible-bki: refreshed for 10.18

 -- Christian Ehrhardt <email address hidden> Tue, 10 Aug 2021 14:18:35 +0200