-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Feb 2025 11:27:41 +0100
Source: postgresql-15
Architecture: source
Version: 15.11-0+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 postgresql-15 (15.11-0+deb12u1) bookworm; urgency=medium
 .
   * New upstream version 15.11.
 .
     + Harden PQescapeString and allied functions against invalidly-encoded
       input strings (Andres Freund, Noah Misch)
 .
       Data-quoting functions supplied by libpq now fully check the encoding
       validity of their input.  If invalid characters are detected, they
       report an error if possible.  For the ones that lack an error return
       convention, the output string is adjusted to ensure that the server will
       report invalid encoding and no intervening processing will be fooled by
       bytes that might happen to match single quote, backslash, etc.
 .
       The purpose of this change is to guard against SQL-injection attacks
       that are possible if one of these functions is used to quote crafted
       input.  There is no hazard when the resulting string is sent directly to
       a PostgreSQL server (which would check its encoding anyway), but there
       is a risk when it is passed through psql or other client-side code.
       Historically such code has not carefully vetted encoding, and in many
       cases it's not clear what it should do if it did detect such a problem.
 .
       This fix is effective only if the data-quoting function, the server, and
       any intermediate processing agree on the character encoding that's being
       used.  Applications that insert untrusted input into SQL commands should
       take special care to ensure that that's true.
 .
       Applications and drivers that quote untrusted input without using these
       libpq functions may be at risk of similar problems.  They should first
       confirm the data is valid in the encoding expected by the server.
 .
       The PostgreSQL Project thanks Stephen Fewer for reporting this problem.
       (CVE-2025-1094)
Checksums-Sha1:
 73cca6df95be330ed579fe33692afddeca15a09b 3926 postgresql-15_15.11-0+deb12u1.dsc
 fda31a3976acbb2812afac699cd0401c23a3b761 23167652 postgresql-15_15.11.orig.tar.bz2
 81b35f4eb7dfdf30196dbcca6ba0cb3051a29095 27832 postgresql-15_15.11-0+deb12u1.debian.tar.xz
Checksums-Sha256:
 66b842d985ada30b4a7d0900be715b1c71e0c61d7d76a1cf06002a6af4600b47 3926 postgresql-15_15.11-0+deb12u1.dsc
 5367e97e81e493301cc4aab049dfbc9b4913822985bc62379faab2a281cfbdf0 23167652 postgresql-15_15.11.orig.tar.bz2
 ee33bf42218955e55f14095eab0f687fa0c543b82fb526744e480b4d49786563 27832 postgresql-15_15.11-0+deb12u1.debian.tar.xz
Files:
 47d4314674228e2e29b9a2cbeb4d98d1 3926 database optional postgresql-15_15.11-0+deb12u1.dsc
 d48f1a60c3e6f5b276deda9ba3bea979 23167652 database optional postgresql-15_15.11.orig.tar.bz2
 21f56569ce4825774a1ee7e9f5123779 27832 database optional postgresql-15_15.11-0+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmeuKfkACgkQTFprqxLS
p65ouw/9GlZPXGy2XrDOB5NW1sKViYQ6gwTBzJcKSWbfnPzuloeRm7LxY8YlCA8E
a6wEPmwN8TL7qDOa+K2DYeXqAnLGJdVYanWU2qKdZNCSW1+oWGF/9J9YpLt863ZC
5JsF+RFt4l7NEkaVoJxH43Sz+Q9xvfdty5v9aqZvjBgqqDLOHee/UMG3Vvx9RFoh
7Y5q+fp1K+FkJbfnOASRxqEhiowQf+ZHXcNsGASwemUdXdAMxE+fuuqp+8C/ufJ2
nllsQ6UrYmRMT6OLBLF0n7KwD4GCwKQwD2/4ivy/cxCEvseKWP1ViBW8xTa6etkN
gYhySho4akz+H2dqG/WHu/8K2Vapj5JEDR4HmCqPEeGc2o53BuCxJYPkBqO5ou6g
cMPahdg+wT6tysLjMzSzacxXzYARCQCzBZd+ZtpQlQl1v1tarDb1zw+c84PCa8WX
3sA3cx3mteS4guYbUVOmQVcueFsc4ofUE/m912qBR+VIwKAzd5MIu6tGx3UiLdbk
WFWzxmLQxxt8rTIUV2mweC//qP7LbAARQ46fs3LkQmx/pt/sqD4+ed47iQJOlhJU
g8NnZijKqwHRqvjo53SQ8Yc1XttQAo+av9VDAT1OHJxHw48YRG23zKyDCpJ1x9sQ
etpNmm3ddwmEyt3XRJrdWQ1jvKv3FnU1IuNU11Z8vb7iI8810E0=
=gzYW
-----END PGP SIGNATURE-----