postgresql-9.3 (9.3.25-13.pgdg130+2) trixie-pgdg; urgency=medium

  * Rebuild for trixie-pgdg.
  * Changes applied by generate-pgdg-source:
    + Moving lib packages to component 9.3.

 -- PostgreSQL on Debian and Ubuntu <pgsql-pkg-debian@lists.postgresql.org>  Thu, 31 Oct 2024 18:08:32 +0100

postgresql-9.3 (9.3.25-13) unstable; urgency=medium

  * Run regression tests with TZ America/Los_Angeles.
  * Catch plperl output variation with perl 5.40 on unstable.

 -- Christoph Berg <myon@debian.org>  Thu, 31 Oct 2024 18:08:32 +0100

postgresql-9.3 (9.3.25-12) unstable; urgency=medium

  * B-D on python3-setuptools, we need distutils.
  * Cherry-pick 400928b83 from master to fix xml build.

 -- Christoph Berg <myon@debian.org>  Sun, 28 Jul 2024 17:20:56 +0000

postgresql-9.3 (9.3.25-11) unstable; urgency=medium

  * Fix doc install when postgresql-client-common is not present.
  * DH 13 and autoreconf at build time.
  * Fix config/c-compiler.m4 for new compiler warnings.

 -- Christoph Berg <myon@debian.org>  Fri, 24 May 2024 21:43:42 +0200

postgresql-9.3 (9.3.25-10) unstable; urgency=medium

  * Add Build-Profile nopython.
  * B-D on dh-exec.

 -- Christoph Berg <myon@debian.org>  Fri, 26 Apr 2024 15:28:43 +0000

postgresql-9.3 (9.3.25-9) unstable; urgency=medium

  * Test-Depend on tzdata-legacy | tzdata (<< 2023c-8).

 -- Christoph Berg <myon@debian.org>  Thu, 10 Aug 2023 22:25:38 +0200

postgresql-9.3 (9.3.25-8) unstable; urgency=medium

  * Fix update-alternatives when doc package is installed stand-alone.

 -- Christoph Berg <myon@debian.org>  Mon, 27 Feb 2023 10:52:27 +0100

postgresql-9.3 (9.3.25-7) unstable; urgency=medium

  * Fix plpython3 for Python 3.11 (upstream 4339e10f).

 -- Christoph Berg <myon@debian.org>  Mon, 20 Feb 2023 17:50:29 +0100

postgresql-9.3 (9.3.25-6) unstable; urgency=medium

  * Fix pl/perl test case so it will still work under Perl 5.36.

 -- Christoph Berg <myon@debian.org>  Tue, 01 Nov 2022 15:50:01 +0100

postgresql-9.3 (9.3.25-5) unstable; urgency=medium

  * Support Python 3.10 in plpython tests.

 -- Christoph Berg <myon@debian.org>  Sun, 15 May 2022 20:59:57 +0200

postgresql-9.3 (9.3.25-4) unstable; urgency=medium

  * R³: no.
  * run-testsuite: Test only this version.

 -- Christoph Berg <myon@debian.org>  Fri, 05 Feb 2021 13:21:45 +0100

postgresql-9.3 (9.3.25-3) unstable; urgency=medium

  * Disable building plpython2 by default. (Closes: #937310)
  * Add debian/gitlab-ci.yml.
  * debian/tests: Also run regression tests.
  * Remove obsolete Breaks/Replaces.
  * Fix binary-all build.

 -- Christoph Berg <myon@debian.org>  Wed, 09 Oct 2019 15:17:46 +0200

postgresql-9.3 (9.3.25-2) unstable; urgency=medium

  * Drop explicit xz compression for .debs.
  * Depend on locales | locales-all. Suggested by Elrond, thanks!
    (Closes: #916655)
  * Build-Depend on tcl-dev instead of on a specific version.
  * initdb doesn't like LANG and LC_ALL to contradict, unset LANG and
    LC_CTYPE at test time. (Closes: #917764)

 -- Christoph Berg <myon@debian.org>  Mon, 01 Apr 2019 09:07:29 +0200

postgresql-9.3 (9.3.25-1) unstable; urgency=medium

  * New upstream version.
  * Enable dtrace support.
  * psql uses sensible-editor, depend on sensible-utils.
  * Add lintian overrides for plugins that link no external libraries.
  * configure: Hard-code paths to /bin/mkdir -p and /bin/tar.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 06 Nov 2018 15:15:18 +0100

postgresql-9.3 (9.3.24-1) unstable; urgency=medium

  * New upstream version.
    + Fix failure to reset libpq's state fully between connection attempts

      An unprivileged user of dblink or postgres_fdw could bypass the checks
      intended to prevent use of server-side credentials, such as a ~/.pgpass
      file owned by the operating-system user running the server.  Servers
      allowing peer authentication on local connections are particularly
      vulnerable.  Other attacks such as SQL injection into a postgres_fdw
      session are also possible. Attacking postgres_fdw in this way requires
      the ability to create a foreign server object with selected connection
      parameters, but any user with access to dblink could exploit the
      problem. In general, an attacker with the ability to select the
      connection parameters for a libpq-using application could cause
      mischief, though other plausible attack scenarios are harder to think
      of. Our thanks to Andrew Krasichkov for reporting this issue.
      (CVE-2018-10915)

  * debian/rules: Set DEB_HOST_* via /usr/share/dpkg/architecture.mk.
  * Drop support for tcl8.5.
  * Refactor testsuite failure handling.
  * Use dh_auto_configure to correctly seed the build architecture.
  * Add new pgtypes header and symbol.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 07 Aug 2018 14:17:04 +0200

postgresql-9.3 (9.3.23-2) unstable; urgency=medium

  * Update libpq_pgport in Makefile.global to find libpgcommon/libpgport in
    pkglibdir.

 -- Christoph Berg <myon@debian.org>  Sun, 20 May 2018 20:08:19 +0200

postgresql-9.3 (9.3.23-1) unstable; urgency=medium

  * New upstream version.
    + Fix incorrect volatility markings on a few built-in functions.

  * Move libpgport.a and libpgcommon.a from libdir to pkglibdir.

 -- Christoph Berg <myon@debian.org>  Tue, 08 May 2018 20:37:04 +0200

postgresql-9.3 (9.3.22-1) unstable; urgency=medium

  * New upstream version.

    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump.  After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    + Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user.  While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    + Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets.  To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under.  That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 27 Feb 2018 13:22:04 +0100

postgresql-9.3 (9.3.21-1) unstable; urgency=medium

  * New upstream version.
    + Ensure that all temporary files made by pg_upgrade are
      non-world-readable (CVE-2018-1053)

  * Show package version number in version().
  * Remove actual build path from Makefile.global for reproducibility.

 -- Christoph Berg <myon@debian.org>  Sat, 02 Dec 2017 21:31:24 +0100

postgresql-9.3 (9.3.20-1) unstable; urgency=medium

  * New upstream version.

    + Fix crash due to rowtype mismatch in json{b}_populate_recordset()
      (Michael Paquier, Tom Lane)

      These functions used the result rowtype specified in the FROM ... AS
      clause without checking that it matched the actual rowtype of the
      supplied tuple value.  If it didn't, that would usually result in a
      crash, though disclosure of server memory contents seems possible as
      well. (CVE-2017-15098)

  * Remove empty conf.d directory on purge, even when postgresql-common
    was already removed. (Closes: #877264)

 -- Christoph Berg <myon@debian.org>  Sun, 29 Oct 2017 22:00:07 +0100

postgresql-9.3 (9.3.19-1) unstable; urgency=medium

  * New upstream version.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 29 Aug 2017 15:50:58 +0200

postgresql-9.3 (9.3.18-1) unstable; urgency=medium

  * New upstream version.

    + Further restrict visibility of pg_user_mappings.umoptions, to protect
      passwords stored as user mapping options. See the release notes for
      instructions for applying the fix to existing database clusters.
      (CVE-2017-7547; extends fix for CVE-2017-7484)
    + Disallow empty passwords in all password-based authentication methods.
      (CVE-2017-7546)
    + Make lo_put() check for UPDATE privilege on the target large object.
      (CVE-2017-7548)

  * On regression test failure, show newest three log files instead of relying
    on file age = 0 min.
  * debian/rules: Unconditionally use DEB_BUILD_MAINT_OPTIONS=hardening=+all.
    The old logic is kept around for compiling on older distributions.
  * Remove long obsolete --with-krb5 and move c/ldflags to configure switches.

 -- Christoph Berg <myon@debian.org>  Wed, 09 Aug 2017 20:07:04 +0200

postgresql-9.3 (9.3.17-1) unstable; urgency=medium

  * Team upload.
  * New upstream version.

    + Restrict visibility of pg_user_mappings.umoptions, to protect passwords
      stored as user mapping options (CVE-2017-7486)
    + Prevent exposure of statistical information via leaky operators
      (CVE-2017-7484)
    + Restore libpq's recognition of the PGREQUIRESSL environment variable
      (CVE-2017-7485)

  * debian/rules: Add stub to enable cassert builds (disabled by default).
  * Use OpenSSL 1.1 for building on stretch/sid.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 09 May 2017 15:32:09 +0200

postgresql-9.3 (9.3.16-1) unstable; urgency=medium

  * Team upload.
  * New upstream version.

    + Fix a race condition that could cause indexes built with CREATE INDEX
      CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)

      If CREATE INDEX CONCURRENTLY was used to build an index that depends on
      a column not previously indexed, then rows inserted or updated by
      transactions that ran concurrently with the CREATE INDEX command could
      have received incorrect index entries.  If you suspect this may have
      happened, the most reliable solution is to rebuild affected indexes
      after installing this update.

  * Use OpenSSL 1.0 for building on stretch/sid.
  * Add missing perl test dependency (for Test::More).
  * Update watch file to use https.
  * Drop hardening-wrapper.
  * Explicitly disable PIE on 32 architectures. Previously we were just not
    enabling it, but it's on by default now in unstable. Closes: #842752.
  * libpq-dev: Remove dependency on libssl-dev (and comerr-dev and
    krb5-multidev) to unbreak co-installation with libssl1.0-dev.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 07 Feb 2017 12:20:50 +0100

postgresql-9.3 (9.3.15-1) unstable; urgency=medium

  * New upstream version.

    If your installation has been affected by the bug described in the first
    changelog entry below, then after updating you may need to take action to
    repair corrupted free space maps.

    + Fix WAL-logging of truncation of relation free space maps and visibility
      maps (Pavan Deolasee, Heikki Linnakangas)

      It was possible for these files to not be correctly restored during
      crash recovery, or to be written incorrectly on a standby server. Bogus
      entries in a free space map could lead to attempts to access pages that
      have been truncated away from the relation itself, typically producing
      errors like could not read block XXX: read only 0 of 8192 bytes.
      Checksum failures in the visibility map are also possible, if
      checksumming is enabled.

      Procedures for determining whether there is a problem and repairing it
      if so are discussed at
      https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.

 -- Christoph Berg <myon@debian.org>  Tue, 25 Oct 2016 14:20:19 +0200

postgresql-9.3 (9.3.14-1) unstable; urgency=medium

  * New upstream version.

    + Fix possible mis-evaluation of nested CASE-WHEN expressions
      (Heikki Linnakangas, Michael Paquier, Tom Lane)

      A CASE expression appearing within the test value subexpression of
      another CASE could become confused about whether its own test value was
      null or not.  Also, inlining of a SQL function implementing the equality
      operator used by a CASE expression could result in passing the wrong
      test value to functions called within a CASE expression in the SQL
      function's body.  If the test values were of different data types, a
      crash might result; moreover such situations could be abused to allow
      disclosure of portions of server memory.  (CVE-2016-5423)

    + Fix client programs' handling of special characters in database and role
      names (Noah Misch, Nathan Bossart, Michael Paquier)

      Numerous places in vacuumdb and other client programs could become
      confused by database and role names containing double quotes or
      backslashes.  Tighten up quoting rules to make that safe. Also, ensure
      that when a conninfo string is used as a database name parameter to
      these programs, it is correctly treated as such throughout.

      Fix handling of paired double quotes in psql's \connect and \password
      commands to match the documentation.

      Introduce a new -reuse-previous option in psql's \connect command to
      allow explicit control of whether to re-use connection parameters from a
      previous connection.  (Without this, the choice is based on whether the
      database name looks like a conninfo string, as before.)  This allows
      secure handling of database names containing special characters in
      pg_dumpall scripts.

      pg_dumpall now refuses to deal with database and role names containing
      carriage returns or newlines, as it seems impractical to quote those
      characters safely on Windows.  In future we may reject such names on the
      server side, but that step has not been taken yet.

      These are considered security fixes because crafted object names
      containing special characters could have been used to execute commands
      with superuser privileges the next time a superuser executes pg_dumpall
      or other routine maintenance operations.  (CVE-2016-5424)

  * Remove conditional multi-arch compilation, all supported dists are
    multi-arched now.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 09 Aug 2016 17:41:01 +0200

postgresql-9.3 (9.3.13-1) unstable; urgency=medium

  * New upstream version.

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 10 May 2016 10:17:37 +0200

postgresql-9.3 (9.3.12-1) unstable; urgency=medium

  * New upstream version.
  * 02-relax-sslkey-permscheck.patch: Replace with what went upstream in 9.6.
  * Stop suggesting the use of identd.
  * Modernize server package description.
  * Recommend postgresql-contrib and sysstat.

 -- Christoph Berg <myon@debian.org>  Tue, 29 Mar 2016 12:35:34 +0200

postgresql-9.3 (9.3.11-1) unstable; urgency=medium

  * New upstream version.
    + Fix infinite loops and buffer-overrun problems in regular expressions.
      Very large character ranges in bracket expressions could cause infinite
      loops in some cases, and memory overwrites in other cases.
      (CVE-2016-0773)

  * 64-pg_upgrade-sockdir: Fix off-by-one error in max path length.

 -- Christoph Berg <myon@debian.org>  Wed, 10 Feb 2016 18:31:53 +0100

postgresql-9.3 (9.3.10-1) unstable; urgency=medium

  * New upstream version.

    + Guard against stack overflows in json parsing (Oskari Saarenmaa)

      If an application constructs PostgreSQL json or jsonb values from
      arbitrary user input, the application's users can reliably crash the
      PostgreSQL server, causing momentary denial of service.  (CVE-2015-5289)

    + Fix contrib/pgcrypto to detect and report too-short crypt() salts
      (Josh Kupershmidt)

      Certain invalid salt arguments crashed the server or disclosed a few
      bytes of server memory.  We have not ruled out the viability of attacks
      that arrange for presence of confidential information in the disclosed
      bytes, but they seem unlikely.  (CVE-2015-5288)

  * Add docbook-xml to build-depends.
  * debian/rules: Remove broken "generate POT files for translators" code.
  * debian/rules: Call dh without --parallel, it's not supported upstream.
  * postgresql postrm: Don't clean {/etc,/var/lib,/var/log}/postgresql on
    purge.  (Closes: #793861)

 -- Christoph Berg <christoph.berg@credativ.de>  Tue, 06 Oct 2015 11:08:44 +0200

postgresql-9.3 (9.3.9-1) unstable; urgency=medium

  * New upstream version.
    + Fix possible failure to recover from an inconsistent database state
    + Fix rare failure to invalidate relation cache init file

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 10 Jun 2015 13:52:35 +0200

postgresql-9.3 (9.3.8-1) unstable; urgency=medium

  * New upstream version:
    Avoid failures while fsync'ing data directory during crash restart
    (Abhijit Menon-Sen, Tom Lane; Closes: #786874)

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 03 Jun 2015 11:55:41 +0200

postgresql-9.3 (9.3.7-1) unstable; urgency=medium

  * New upstream version.

    + Avoid possible crash when client disconnects just before the
      authentication timeout expires (Benkocs Norbert Attila)

      If the timeout interrupt fired partway through the session shutdown
      sequence, SSL-related state would be freed twice, typically causing a
      crash and hence denial of service to other sessions.  Experimentation
      shows that an unauthenticated remote attacker could trigger the bug
      somewhat consistently, hence treat as security issue. (CVE-2015-3165)

    + Improve detection of system-call failures (Noah Misch)

      Our replacement implementation of snprintf() failed to check for errors
      reported by the underlying system library calls; the main case that
      might be missed is out-of-memory situations. In the worst case this
      might lead to information exposure, due to our code assuming that a
      buffer had been overwritten when it hadn't been. Also, there were a few
      places in which security-relevant calls of other system library
      functions did not check for failure.

      It remains possible that some calls of the *printf() family of functions
      are vulnerable to information disclosure if an out-of-memory error
      occurs at just the wrong time.  We judge the risk to not be large, but
      will continue analysis in this area. (CVE-2015-3166)

    + In contrib/pgcrypto, uniformly report decryption failures as Wrong key
      or corrupt data (Noah Misch)

      Previously, some cases of decryption with an incorrect key could report
      other error message texts.  It has been shown that such variance in
      error reports can aid attackers in recovering keys from other systems.
      While it's unknown whether pgcrypto's specific behaviors are likewise
      exploitable, it seems better to avoid the risk by using a
      one-size-fits-all message. (CVE-2015-3167)

    + Protect against wraparound of multixact member IDs
      (Álvaro Herrera, Robert Haas, Thomas Munro)

      Under certain usage patterns, the existing defenses against this might
      be insufficient, allowing pg_multixact/members files to be removed too
      early, resulting in data loss.
      The fix for this includes modifying the server to fail transactions that
      would result in overwriting old multixact member ID data, and improving
      autovacuum to ensure it will act proactively to prevent multixact member
      ID wraparound, as it does for transaction ID wraparound.

  * Repository moved to git, update Vcs headers.

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 20 May 2015 13:31:31 +0200

postgresql-9.3 (9.3.6-1) unstable; urgency=medium

  * New upstream release.
    + Fix buffer overruns in to_char() (CVE-2015-0241)
    + Fix buffer overruns in contrib/pgcrypto (CVE-2015-0243)
    + Fix possible loss of frontend/backend protocol synchronization after an
      error (CVE-2015-0244)
    + Fix information leak via constraint-violation error messages
      (CVE-2014-8161)

 -- Christoph Berg <myon@debian.org>  Wed, 04 Feb 2015 22:54:09 +0100

postgresql-9.3 (9.3.5-2) unstable; urgency=medium

  [ Martin Pitt ]
  * Add missing logrotate test dependency.

  [ Christoph Berg ]
  * Fix postgresql_fdw in description, spotted by Andrei Popescu, thanks!

 -- Christoph Berg <myon@debian.org>  Wed, 17 Dec 2014 20:45:00 +0100

postgresql-9.3 (9.3.5-1) unstable; urgency=medium

  * New upstream release.
    + Secure Unix-domain sockets of temporary postmasters started during make
      check (Noah Misch)

      Any local user able to access the socket file could connect as the
      server's bootstrap superuser, then proceed to execute arbitrary code as
      the operating-system user running the test, as we previously noted in
      CVE-2014-0067. This change defends against that risk by placing the
      server's socket in a temporary, mode 0700 subdirectory of /tmp.

  * Remove our pg_regress patches to support --host=/path.
  * Remove the tcl8.6 patch, went upstream.
  * Update Vcs URLs.

 -- Christoph Berg <myon@debian.org>  Mon, 21 Jul 2014 23:18:40 +0200

postgresql-9.3 (9.3.4-2) unstable; urgency=medium

  * Bump to debhelper 9 to get debug symbol files based on build-ids.
  * Enable multiarch support in libpq and friends. (Closes: #706849)
    Support is automatically disabled when the distribution does not support
    it.
  * Stop providing/replacing/conflicting with postgresql*-dbg.
  * Skip -pie on 32bit archs for performance and stability reasons.
    Closes: #749686; details at
    http://www.postgresql.org/message-id/20140519115318.GB7296@msgid.df7cb.de

 -- Christoph Berg <myon@debian.org>  Thu, 29 May 2014 20:17:07 +0200

postgresql-9.3 (9.3.4-1) unstable; urgency=medium

  * New upstream bugfix release. Most notable change:

    Fix WAL replay of locking an already-updated tuple (Andres Freund,
    Álvaro Herrera)

    This error caused updated rows to not be found by index scans, resulting
    in inconsistent query results depending on whether an index scan was used.
    Subsequent processing could result in constraint violations, since the
    previously updated row would not be found by later index searches, thus
    possibly allowing conflicting rows to be inserted. Since this error is in
    WAL replay, it would only manifest during crash recovery or on standby
    servers. The improperly-replayed case most commonly arises when a table
    row that is referenced by a foreign-key constraint is updated concurrently
    with creation of a referencing row.

  * Compile with -fno-omit-frame-pointer on amd64 to facilitate hierarchical
    profile generation. (Closes: #730134)
  * Remove obsolete configure option --with-tkconfig.

 -- Christoph Berg <myon@debian.org>  Tue, 18 Mar 2014 07:19:37 +0100

postgresql-9.3 (9.3.3-2) unstable; urgency=medium

  [ Martin Pitt ]
  * Add missing build-essential test depends, for 180_ecpg.t.

  [ Christoph Berg ]
  * Don't install server includefiles in libpq-dev. (Closes: #314427)
  * Remove contrib/file_fdw/sql/file_fdw.sql on clean.

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 12 Mar 2014 12:57:20 +0100

postgresql-9.3 (9.3.3-1) unstable; urgency=medium

  [ Christoph Berg ]
  * New upstream security/bugfix release.

    + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

      Granting a role without ADMIN OPTION is supposed to prevent the grantee
      from adding or removing members from the granted role, but this
      restriction was easily bypassed by doing SET ROLE first. The security
      impact is mostly that a role member can revoke the access of others,
      contrary to the wishes of his grantor. Unapproved role member additions
      are a lesser concern, since an uncooperative role member could provide
      most of his rights to others anyway by creating views or SECURITY
      DEFINER functions. (CVE-2014-0060)

    + Prevent privilege escalation via manual calls to PL validator functions
      (Andres Freund)

      The primary role of PL validator functions is to be called implicitly
      during CREATE FUNCTION, but they are also normal SQL functions that a
      user can call explicitly. Calling a validator on a function actually
      written in some other language was not checked for and could be
      exploited for privilege-escalation purposes. The fix involves adding a
      call to a privilege-checking function in each validator function.
      Non-core procedural languages will also need to make this change to
      their own validator functions, if any. (CVE-2014-0061)

    + Avoid multiple name lookups during table and index DDL (Robert Haas,
      Andres Freund)

      If the name lookups come to different conclusions due to concurrent
      activity, we might perform some parts of the DDL on a different table
      than other parts. At least in the case of CREATE INDEX, this can be used
      to cause the permissions checks to be performed against a different
      table than the index creation, allowing for a privilege escalation
      attack. (CVE-2014-0062)

    + Prevent buffer overrun with long datetime strings (Noah Misch)

      The MAXDATELEN constant was too small for the longest possible value of
      type interval, allowing a buffer overrun in interval_out(). Although the
      datetime input functions were more careful about avoiding buffer
      overrun, the limit was short enough to cause them to reject some valid
      inputs, such as input containing a very long timezone name. The ecpg
      library contained these vulnerabilities along with some of its own.
      (CVE-2014-0063)

    + Prevent buffer overrun due to integer overflow in size calculations
      (Noah Misch, Heikki Linnakangas)

      Several functions, mostly type input functions, calculated an allocation
      size without checking for overflow. If overflow did occur, a too-small
      buffer would be allocated and then written past. (CVE-2014-0064)

    + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

      Use strlcpy() and related functions to provide a clear guarantee that
      fixed-size buffers are not overrun. Unlike the preceding items, it is
      unclear whether these cases really represent live issues, since in most
      cases there appear to be previous constraints on the size of the input
      string. Nonetheless it seems prudent to silence all Coverity warnings of
      this type. (CVE-2014-0065)

    + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

      There are relatively few scenarios in which crypt() could return NULL,
      but contrib/chkpass would crash if it did. One practical case in which
      this could be an issue is if libc is configured to refuse to execute
      unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)

    + Document risks of make check in the regression testing instructions
      (Noah Misch, Tom Lane)

      Since the temporary server started by make check uses "trust"
      authentication, another user on the same machine could connect to it as
      database superuser, and then potentially exploit the privileges of the
      operating-system user who started the tests. A future release will
      probably incorporate changes in the testing procedure to prevent this
      risk, but some public discussion is needed first. So for the moment,
      just warn people against using make check when there are untrusted users
      on the same machine. (CVE-2014-0067)

    + Rework tuple freezing protocol (Álvaro Herrera, Andres Freund)

      The logic for tuple freezing was unable to handle some cases involving
      freezing of multixact IDs, with the practical effect that shared
      row-level locks might be forgotten once old enough.

      Fixing this required changing the WAL record format for tuple freezing.
      While this is no issue for standalone servers, when using replication it
      means that standby servers must be upgraded to 9.3.3 or later before
      their masters are. An older standby will be unable to interpret freeze
      records generated by a newer master, and will fail with a PANIC message.
      (In such a case, upgrading the standby should be sufficient to let it
      resume execution.)

  * The upstream tarballs no longer contain a plain HISTORY file, but point to
    the html documentation. Note the location of these files in our
    changelog.gz file.
  * Teach configure to find tclsh8.6 where tclsh is not available.

  [ Martin Pitt ]
  * Build with LINUX_OOM_SCORE_ADJ=0 instead of the older LINUX_OOM_ADJ=0. All
    relevant distro releases (>= squeeze/lucid) use kernels which support
    /proc/pid/oom_score_adj, so avoid the dmesg warnings. (Closes: #646245,
    LP: #991725)
  * Bump Standards-Version to 3.9.5 (no changes necessary).
  * Build with tcl8.6 where available (>= Jessie, >= trusty).

 -- Christoph Berg <christoph.berg@credativ.de>  Wed, 19 Feb 2014 10:15:39 +0100

postgresql-9.3 (9.3.2-1) unstable; urgency=low

  [ Martin Pitt ]
  * Add 03-config-update.patch: Refresh config.{guess,sub} to latest version
    for enabling ports, in particular the upcoming ppc64el.

  [ Christoph Berg ]
  * New upstream bugfix release.

    + Fix "VACUUM"'s tests to see whether it can update relfrozenxid
      (Andres Freund)

      In some cases "VACUUM" (either manual or autovacuum) could
      incorrectly advance a table's relfrozenxid value, allowing tuples
      to escape freezing, causing those rows to become invisible once
      2^31 transactions have elapsed. The probability of data loss is
      fairly low since multiple incorrect advancements would need to
      happen before actual loss occurs, but it's not zero. In 9.2.0 and
      later, the probability of loss is higher, and it's also possible to
      get "could not access status of transaction" errors as a
      consequence of this bug. Users upgrading from releases 9.0.4 or
      8.4.8 or earlier are not affected, but all later versions contain
      the bug.
      The issue can be ameliorated by, after upgrading, vacuuming all
      tables in all databases while having vacuum_freeze_table_age set to
      zero. This will fix any latent corruption but will not be able to
      fix all pre-existing data errors. However, an installation can be
      presumed safe after performing this vacuuming if it has executed
      fewer than 2^31 update transactions in its lifetime (check this
      with SELECT txid_current() < 2^31).

    + Fix multiple bugs in MultiXactId freezing (Andres Freund, Alvaro
      Herrera)

      These bugs could lead to "could not access status of transaction"
      errors, or to duplicate or vanishing rows. Users upgrading from
      releases prior to 9.3.0 are not affected.
      The issue can be ameliorated by, after upgrading, vacuuming all
      tables in all databases while having vacuum_freeze_table_age set to
      zero. This will fix latent corruption but will not be able to fix
      all pre-existing data errors.
      As a separate issue, these bugs can also cause standby servers to
      get out of sync with the primary, thus exhibiting data errors that
      are not in the primary. Therefore, it's recommended that 9.3.0 and
      9.3.1 standby servers be re-cloned from the primary (e.g., with a
      new base backup) after upgrading.

    + Fix initialization of "pg_clog" and "pg_subtrans" during hot
      standby startup (Andres Freund, Heikki Linnakangas)

      This bug can cause data loss on standby servers at the moment they
      start to accept hot-standby queries, by marking committed
      transactions as uncommitted. The likelihood of such corruption is
      small unless, at the time of standby startup, the primary server
      has executed many updating transactions since its last checkpoint.
      Symptoms include missing rows, rows that should have been deleted
      being still visible, and obsolete versions of updated rows being
      still visible alongside their newer versions.
      This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and
      9.0.14. Standby servers that have only been running earlier
      releases are not at risk. It's recommended that standby servers
      that have ever run any of the buggy releases be re-cloned from the
      primary (e.g., with a new base backup) after upgrading.

  * Refresh debian/patches/62-pg_upgrade-test-in-tmp.

 -- Christoph Berg <myon@debian.org>  Tue, 03 Dec 2013 09:18:41 +0100

postgresql-9.3 (9.3.1-1) unstable; urgency=low

  * New upstream release.
    - Update hstore extension with JSON functionality
      Users who installed hstore prior to 9.3.1 must execute:
         ALTER EXTENSION hstore UPDATE;
      to add two new JSON functions and a cast.
    - Some bug fixes, see HISTORY for details.

 -- Martin Pitt <mpitt@debian.org>  Tue, 08 Oct 2013 10:54:46 +0200

postgresql-9.3 (9.3.0-2) unstable; urgency=low

  [ Martin Pitt ]
  * Drop the "beta" warning from package description, this is the final
    version now.

 -- Christoph Berg <myon@debian.org>  Tue, 10 Sep 2013 09:34:39 +0200

postgresql-9.3 (9.3.0-1) unstable; urgency=low

  * New upstream release.
  * pgxs.mk: Make the install targets depend on installdirs.

 -- Christoph Berg <myon@debian.org>  Wed, 04 Sep 2013 18:53:05 +0200

postgresql-9.3 (9.3~rc1-2) unstable; urgency=low

  * Rebuild against Perl 5.18.

 -- Martin Pitt <mpitt@debian.org>  Tue, 27 Aug 2013 11:27:10 +0200

postgresql-9.3 (9.3~rc1-1) unstable; urgency=low

  [ Martin Pitt ]
  * New upstream release: first 9.3 release candidate.
    - Add locking around SSL_context usage in libpq, to make it thread safe.
      (Closes: #718460)
  * First upload to unstable, 9.3 final will be released soon and now is the
    time for testing and porting extensions.
  * debian/rules: Support multi-arch locations of {tcl,tk}-config.
  * debian/rules: Don't build with kerberos and LDAP support for
    DEB_STAGE=stage1 to aid with bootstrapping.
  * debian/tests/control: Add missing net-tools dependency (for ifconfig).
  * debian/rules: Call dh with --parallel.
  * debian/control: Explicitly Conflicts/Replaces postgresql-9.1-dbg, as that
    did not yet have a "Provides: postgresql-dbg". (Closes: #717982)

  [ Christoph Berg ]
  * Pull 6697aa2bc25c83b88d6165340348a31328c35de6 and
    82b0102650cf85268145a46f0ab488bacf6599a1 from upstream head to better
    support VPATH builds of PGXS modules.
  * debian/rules: Call make check-world without -k and use a random port
    number for pg_regress.

 -- Martin Pitt <mpitt@debian.org>  Thu, 22 Aug 2013 10:19:13 +0200

postgresql-9.3 (9.3~beta2-2) experimental; urgency=low

  * debian/postgresql-9.3.preinst: Abort upgrade if there are still clusters
    with the 9.3beta1 format, these need to be dumped/dropped first.
    (Closes: #714328)

 -- Martin Pitt <mpitt@debian.org>  Fri, 28 Jun 2013 14:37:06 +0200

postgresql-9.3 (9.3~beta2-1) experimental; urgency=low

  [ Christoph Berg ]
  * hurd-i386: Ignore testsuite failures so we have a working libpq5 (they
    don't implement semaphores so the server won't even start).
  * Mark postgresql-9.3 as beta in the description, suggested by Joshua D.
    Drake.

  [ Martin Pitt ]
  * New upstream release 9.3 beta2.

 -- Martin Pitt <mpitt@debian.org>  Wed, 26 Jun 2013 15:13:32 +0200

postgresql-9.3 (9.3~beta1-3) experimental; urgency=low

  * sparc, alpha: Remove -O1 - we have been using this since 2007, but now it
    looks the other way round, "make check" fails on sparc with -O1, but works
    with -O2.
  * kfreebsd-*: Ignore testsuite failures until we resolve the plperl
    failures, see #704802.

 -- Christoph Berg <myon@debian.org>  Fri, 31 May 2013 16:34:34 -0700

postgresql-9.3 (9.3~beta1-2) experimental; urgency=low

  * Update watch file for 9.3.
  * 64-pg_upgrade-sockdir: If cwd is too long to use as socketdir in
    pg_upgrade, fall back to /tmp. (A Unix socket path must not be longer than
    107 chars.)

 -- Christoph Berg <myon@debian.org>  Mon, 13 May 2013 23:09:44 -0700

postgresql-9.3 (9.3~beta1-1) experimental; urgency=low

  [ Christoph Berg ]
  * Update for 9.3. Packaging based on 9.2 branch.
  * Remove 03-python-includedirs.patch, implemented upstream.
  * libpq5.symbols: Add new symbols: PQconninfo, lo_lseek64, lo_tell64,
    lo_truncate64.
  * debian/rules: Remove the temporary patches from pg_regress, and teach
    pg_regress to support unix socket dirs in --host.
  * debian/rules: Use "make check-world" to run the regression tests. Thanks
    to Peter Eisentraut for the suggestion.
  * 50-per-version-dirs.patch: Use @MAJORVERSION@ instead of a fixed version.
  * 61-extra_regress_opts: Add EXTRA_REGRESS_OPTS in Makefile.global(.in).
  * 62-pg_upgrade-test-in-tmp: Hardcode /tmp in pg_upgrade's test.sh.
  * 63-pg_upgrade-test-bindir: Pass PSQLDIR to the pg_regress call.
  * postgresql-9.3.install: Add pg_xlogdump.
  * postgresql-client-9.3.install: Add pg_isready.
  * libpq-dev.install: Add usr/lib/libpgcommon.a.
  * libpq-dev.install, libecpg-dev.install: Add pkgconfig files.
  * postgresql-contrib-9.3.install: Add
    usr/lib/postgresql/9.3/lib/postgres_fdw.so.

  [ Martin Pitt ]
  * Bump p-common dependency to >= 142, to ensure compatibility with 9.3,
    particularly for upgrades.

 -- Martin Pitt <mpitt@debian.org>  Wed, 08 May 2013 05:39:52 +0200
