The package postgresql-9.5 was updated on apt.postgresql.org.
apt-listchanges: Changelogs
---------------------------
postgresql-9.5 (9.5.24-1.pgdg+1) sid-pgdg; urgency=medium
* Rebuild for sid-pgdg.
* Changes applied by generate-pgdg-source:
+ Moving lib packages to component 9.5.
+ Enabling cassert.
-- PostgreSQL on Debian and Ubuntu <pgsql-pkg-debian@lists.postgresql.org> Wed, 23 Sep 2020 20:43:41 +0200
postgresql-9.5 (9.5.24-1) unstable; urgency=medium
* New upstream version.
+ Fixes timetz regression test failures. (Closes: #974063)
+ Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers
within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the security restricted operation sandbox
mechanism. An attacker having permission to create non-temporary SQL
objects could parlay this leak to execute arbitrary SQL code as a
superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this
problem. (CVE-2020-25695)
+ Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a connection string
containing multiple connection parameters rather than just a database
name. In cases where these programs need to initiate additional
connections, such as parallel processing or processing of multiple
databases, the connection string was forgotten and just the basic
connection parameters (database name, host, port, and username) were
used for the additional connections. This could lead to connection
failures if the connection string included any other essential
information, such as non-default SSL or GSS parameters. Worse, the
connection might succeed but not be encrypted as intended, or be
vulnerable to man-in-the-middle attacks that the intended connection
parameters would have prevented. (CVE-2020-25694)
+ When psql's
