1 files changed, 210 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..a138d1e
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,210 @@
+postgresql-15 (15.5-0+deb12u1) bookworm-security; urgency=medium
+
+  * New upstream version.
+
+    * Fix handling of unknown-type arguments in DISTINCT "any" aggregate
+      functions (Tom Lane)
+
+      This error led to a text-type value being interpreted as an unknown-type
+      value (that is, a zero-terminated string) at runtime.  This could result
+      in disclosure of server memory following the text value.
+
+      The PostgreSQL Project thanks Jingzhou Fu for reporting this problem.
+      (CVE-2023-5868)
+
+    * Detect integer overflow while computing new array dimensions
+      (Tom Lane)
+
+      When assigning new elements to array subscripts that are outside the
+      current array bounds, an undetected integer overflow could occur in edge
+      cases.  Memory stomps that are potentially exploitable for arbitrary
+      code execution are possible, and so is disclosure of server memory.
+
+      The PostgreSQL Project thanks Pedro Gallegos for reporting this problem.
+      (CVE-2023-5869)
+
+    * Prevent the pg_signal_backend role from signalling background workers
+      and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
+
+      The documentation says that pg_signal_backend
+      cannot issue signals to superuser-owned processes.  It was able to
+      signal these background processes, though, because they advertise a
+      role OID of zero.  Treat that as indicating superuser ownership.
+      The security implications of cancelling one of these process types
+      are fairly small so far as the core code goes (we'll just start
+      another one), but extensions might add background workers that are
+      more vulnerable.
+
+      Also ensure that the is_superuser parameter is set correctly in such
+      processes.  No specific security consequences are known for that
+      oversight, but it might be significant for some extensions.
+
+      The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar
+      Srinivasarao for reporting this problem. (CVE-2023-5870)
+
+    * Fix misbehavior during recursive page split in GiST index build
+      (Heikki Linnakangas)
+
+      Fix a case where the location of a page downlink was incorrectly
+      tracked, and introduce some logic to allow recovering from such
+      situations rather than silently doing the wrong thing.  This error could
+      result in incorrect answers from subsequent index searches. It may be
+      advisable to reindex all GiST indexes after installing this update.
+
+    * Prevent de-duplication of btree index entries for interval columns
+
+      There are interval values that are distinguishable but compare equal,
+      for example 24:00:00 and 1 day.  This breaks assumptions made by btree
+      de-duplication, so interval columns need to be excluded from
+      de-duplication.  This oversight can cause incorrect results from
+      index-only scans.  Moreover, after updating amcheck will report an error
+      for almost all such indexes.  Users should reindex any btree indexes on
+      interval columns.
+
+  * Rebase debian/patches/libpgport-pkglibdir.
+
+ -- Christoph Berg <myon@debian.org>  Tue, 07 Nov 2023 14:36:06 +0100
+
+postgresql-15 (15.4-0+deb12u1) bookworm; urgency=medium
+
+  * New upstream version.
+
+    + Disallow substituting a schema or owner name into an extension script if
+      the name contains a quote, backslash, or dollar sign (Noah Misch)
+      This restriction guards against SQL-injection hazards for trusted
+      extensions.
+      The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim
+      Carey-Smith, and Christoph Berg for reporting this problem.
+      (CVE-2023-39417)
+
+    + Fix MERGE to enforce row security policies properly (Dean Rasheed)
+      When MERGE performs an UPDATE action, it should enforce any UPDATE or
+      SELECT RLS policies defined on the target table, to be consistent with
+      the way that a plain UPDATE with a WHERE clause works.  Instead it was
+      enforcing INSERT RLS policies for both INSERT and UPDATE actions.
+      In addition, when MERGE performs a DO NOTHING action, it applied the
+      target table's DELETE RLS policies to existing rows, even though those
+      rows are not being deleted.  While it's not a security problem, this
+      could result in unwanted errors.
+      The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
+      (CVE-2023-39418)
+
+ -- Christoph Berg <myon@debian.org>  Sun, 01 Oct 2023 21:50:06 +0200
+
+postgresql-15 (15.3-0+deb12u1) unstable; urgency=medium
+
+  * New upstream version.
+
+    + Prevent CREATE SCHEMA from defeating changes in search_path
+      (Report and fix by Alexander Lakhin, CVE-2023-2454)
+
+      Within a CREATE SCHEMA command, objects in the prevailing search_path,
+      as well as those in the newly-created schema, would be visible even
+      within a called function or script that attempted to set a secure
+      search_path.  This could allow any user having permission to create a
+      schema to hijack the privileges of a security definer function or
+      extension script.
+
+    + Enforce row-level security policies correctly after inlining a
+      set-returning function (Report by Wolfgang Walther, CVE-2023-2455)
+
+      If a set-returning SQL-language function refers to a table having
+      row-level security policies, and it can be inlined into a calling query,
+      those RLS policies would not get enforced properly in some cases
+      involving re-using a cached plan under a different role. This could
+      allow a user to see or modify rows that should have been invisible.
+
+ -- Christoph Berg <myon@debian.org>  Tue, 09 May 2023 19:05:02 +0200
+
+postgresql-15 (15.2-2) unstable; urgency=medium
+
+  * Add Romanian debconf translation, mulțumesc Remus-Gabriel Chelu!
+  * Fix update-alternatives when doc package is installed stand-alone.
+
+ -- Christoph Berg <myon@debian.org>  Mon, 27 Feb 2023 10:30:23 +0100
+
+postgresql-15 (15.2-1) unstable; urgency=medium
+
+  * New upstream version.
+
+    + libpq can leak memory contents after GSSAPI transport encryption
+      initiation fails (Jacob Champion)
+
+      A modified server, or an unauthenticated man-in-the-middle, can send a
+      not-zero-terminated error message during setup of GSSAPI (Kerberos)
+      transport encryption.  libpq will then copy that string, as well as
+      following bytes in application memory up to the next zero byte, to its
+      error report. Depending on what the calling application does with the
+      error report, this could result in disclosure of application memory
+      contents.  There is also a small probability of a crash due to reading
+      beyond the end of memory.  Fix by properly zero-terminating the server
+      message. (CVE-2022-41862)
+
+ -- Christoph Berg <myon@debian.org>  Tue, 07 Feb 2023 14:57:10 +0100
+
+postgresql-15 (15.1-1) unstable; urgency=medium
+
+  * New upstream version.
+
+ -- Christoph Berg <myon@debian.org>  Tue, 08 Nov 2022 10:59:12 +0100
+
+postgresql-15 (15.0-2) unstable; urgency=medium
+
+  * Add Breaks on dbconfig-common (<< 2.0.22~) which doesn't support the
+    stricter permissions on the default public schema yet.
+  * Cherry-pick 4a6de748d3 from upstream to help fix #1021859.
+  * Mark -doc package as <!nodoc>.
+
+ -- Christoph Berg <myon@debian.org>  Mon, 24 Oct 2022 11:30:00 +0200
+
+postgresql-15 (15.0-1) unstable; urgency=medium
+
+  * New upstream version.
+
+ -- Christoph Berg <myon@debian.org>  Fri, 14 Oct 2022 10:36:49 +0200
+
+postgresql-15 (15~rc2-1) unstable; urgency=medium
+
+  [ Christoph Berg ]
+  * New upstream RC version.
+
+  [ Petter Jacobsen ]
+  * Add . to extension_destdir description.
+
+ -- Christoph Berg <myon@debian.org>  Thu, 06 Oct 2022 14:06:05 +0200
+
+postgresql-15 (15~rc1-1) experimental; urgency=medium
+
+  * New upstream RC version.
+
+ -- Christoph Berg <myon@debian.org>  Tue, 27 Sep 2022 11:31:54 +0200
+
+postgresql-15 (15~beta4-1) experimental; urgency=medium
+
+  * New upstream beta version.
+  * Add Italian debconf translation by Ceppo, thanks! (Closes: #1019162)
+
+ -- Christoph Berg <myon@debian.org>  Tue, 06 Sep 2022 11:44:55 +0200
+
+postgresql-15 (15~beta3-1) experimental; urgency=medium
+
+  * New upstream beta version.
+  * debian/copyright: Update src/backend/regex section.
+  * Update lintian overrides.
+
+ -- Christoph Berg <myon@debian.org>  Wed, 10 Aug 2022 14:33:48 +0200
+
+postgresql-15 (15~beta2-1) experimental; urgency=medium
+
+  * New upstream beta version.
+  * Depend on postgresql-common >= 241.
+  * Disable LLVM JIT on s390x for now. (See #1002029)
+
+ -- Christoph Berg <myon@debian.org>  Tue, 28 Jun 2022 18:20:44 +0200
+
+postgresql-15 (15~beta1-1) experimental; urgency=medium
+
+  * New major upstream version 15; packaging based on postgresql-14.
+  * configure.ac: Remove check for autoconf 2.69.
+
+ -- Christoph Berg <myon@debian.org>  Wed, 18 May 2022 16:26:02 +0200