summaryrefslogtreecommitdiffstats
path: root/debian/changelog
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/changelog167
1 files changed, 167 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..dacf149
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,167 @@
+postgresql-15 (15.4-3) unstable; urgency=medium
+
+ * Stop building lib packages, postgresql-16 is in unstable.
+ * Use LLVM 15 for JIT support, 16 is not supported yet. (Closes: #1051881)
+
+ -- Christoph Berg <myon@debian.org> Thu, 14 Sep 2023 09:28:43 +0200
+
+postgresql-15 (15.4-2) unstable; urgency=medium
+
+ * Disable jit on loong64; PG does not support LLVM 16 yet while LLVM
+ versions before 16 do not support loong64. (Closes: #1051385)
+ * Introduce build profile pkg.postgresql.nolibpkgs.
+
+ -- Christoph Berg <myon@debian.org> Thu, 07 Sep 2023 11:45:32 +0200
+
+postgresql-15 (15.4-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ + Disallow substituting a schema or owner name into an extension script if
+ the name contains a quote, backslash, or dollar sign (Noah Misch)
+
+ This restriction guards against SQL-injection hazards for trusted
+ extensions.
+
+ The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim
+ Carey-Smith, and Christoph Berg for reporting this problem.
+ (CVE-2023-39417)
+
+ + Fix MERGE to enforce row security policies properly (Dean Rasheed)
+
+ When MERGE performs an UPDATE action, it should enforce any UPDATE or
+ SELECT RLS policies defined on the target table, to be consistent with
+ the way that a plain UPDATE with a WHERE clause works. Instead it was
+ enforcing INSERT RLS policies for both INSERT and UPDATE actions.
+
+ In addition, when MERGE performs a DO NOTHING action, it applied the
+ target table's DELETE RLS policies to existing rows, even though those
+ rows are not being deleted. While it's not a security problem, this
+ could result in unwanted errors.
+
+ The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
+ (CVE-2023-39418)
+
+ * Test-Depend on tzdata-legacy | tzdata (<< 2023c-8).
+
+ -- Christoph Berg <myon@debian.org> Tue, 08 Aug 2023 10:10:20 +0200
+
+postgresql-15 (15.3-1) experimental; urgency=medium
+
+ * New upstream version.
+
+ + Prevent CREATE SCHEMA from defeating changes in search_path
+ (Report and fix by Alexander Lakhin, CVE-2023-2454)
+
+ Within a CREATE SCHEMA command, objects in the prevailing search_path,
+ as well as those in the newly-created schema, would be visible even
+ within a called function or script that attempted to set a secure
+ search_path. This could allow any user having permission to create a
+ schema to hijack the privileges of a security definer function or
+ extension script.
+
+ + Enforce row-level security policies correctly after inlining a
+ set-returning function (Report by Wolfgang Walther, CVE-2023-2455)
+
+ If a set-returning SQL-language function refers to a table having
+ row-level security policies, and it can be inlined into a calling query,
+ those RLS policies would not get enforced properly in some cases
+ involving re-using a cached plan under a different role. This could
+ allow a user to see or modify rows that should have been invisible.
+
+ * Reenable JIT on s390x using workaround patch from SUSE.
+
+ -- Christoph Berg <myon@debian.org> Tue, 09 May 2023 19:05:02 +0200
+
+postgresql-15 (15.2-2) unstable; urgency=medium
+
+ * Add Romanian debconf translation, mulțumesc Remus-Gabriel Chelu!
+ * Fix update-alternatives when doc package is installed stand-alone.
+
+ -- Christoph Berg <myon@debian.org> Mon, 27 Feb 2023 10:30:23 +0100
+
+postgresql-15 (15.2-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ + libpq can leak memory contents after GSSAPI transport encryption
+ initiation fails (Jacob Champion)
+
+ A modified server, or an unauthenticated man-in-the-middle, can send a
+ not-zero-terminated error message during setup of GSSAPI (Kerberos)
+ transport encryption. libpq will then copy that string, as well as
+ following bytes in application memory up to the next zero byte, to its
+ error report. Depending on what the calling application does with the
+ error report, this could result in disclosure of application memory
+ contents. There is also a small probability of a crash due to reading
+ beyond the end of memory. Fix by properly zero-terminating the server
+ message. (CVE-2022-41862)
+
+ -- Christoph Berg <myon@debian.org> Tue, 07 Feb 2023 14:57:10 +0100
+
+postgresql-15 (15.1-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Christoph Berg <myon@debian.org> Tue, 08 Nov 2022 10:59:12 +0100
+
+postgresql-15 (15.0-2) unstable; urgency=medium
+
+ * Add Breaks on dbconfig-common (<< 2.0.22~) which doesn't support the
+ stricter permissions on the default public schema yet.
+ * Cherry-pick 4a6de748d3 from upstream to help fix #1021859.
+ * Mark -doc package as <!nodoc>.
+
+ -- Christoph Berg <myon@debian.org> Mon, 24 Oct 2022 11:30:00 +0200
+
+postgresql-15 (15.0-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ -- Christoph Berg <myon@debian.org> Fri, 14 Oct 2022 10:36:49 +0200
+
+postgresql-15 (15~rc2-1) unstable; urgency=medium
+
+ [ Christoph Berg ]
+ * New upstream RC version.
+
+ [ Petter Jacobsen ]
+ * Add . to extension_destdir description.
+
+ -- Christoph Berg <myon@debian.org> Thu, 06 Oct 2022 14:06:05 +0200
+
+postgresql-15 (15~rc1-1) experimental; urgency=medium
+
+ * New upstream RC version.
+
+ -- Christoph Berg <myon@debian.org> Tue, 27 Sep 2022 11:31:54 +0200
+
+postgresql-15 (15~beta4-1) experimental; urgency=medium
+
+ * New upstream beta version.
+ * Add Italian debconf translation by Ceppo, thanks! (Closes: #1019162)
+
+ -- Christoph Berg <myon@debian.org> Tue, 06 Sep 2022 11:44:55 +0200
+
+postgresql-15 (15~beta3-1) experimental; urgency=medium
+
+ * New upstream beta version.
+ * debian/copyright: Update src/backend/regex section.
+ * Update lintian overrides.
+
+ -- Christoph Berg <myon@debian.org> Wed, 10 Aug 2022 14:33:48 +0200
+
+postgresql-15 (15~beta2-1) experimental; urgency=medium
+
+ * New upstream beta version.
+ * Depend on postgresql-common >= 241.
+ * Disable LLVM JIT on s390x for now. (See #1002029)
+
+ -- Christoph Berg <myon@debian.org> Tue, 28 Jun 2022 18:20:44 +0200
+
+postgresql-15 (15~beta1-1) experimental; urgency=medium
+
+ * New major upstream version 15; packaging based on postgresql-14.
+ * configure.ac: Remove check for autoconf 2.69.
+
+ -- Christoph Berg <myon@debian.org> Wed, 18 May 2022 16:26:02 +0200