diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-14 19:16:23 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-14 19:16:23 +0000 |
| commit | 81ba4fd0003de32bf4f01aa10604128479ef418e (patch) | |
| tree | 8a8f4880cd14ad5ae8ef16673250e0b2eaadd3e9 | |
| parent | Merging upstream version 16.3. (diff) | |
| download | postgresql-16-debian.tar.xz postgresql-16-debian.zip | |
Adding debian version 16.3-1.debian/16.3-1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
| -rw-r--r-- | debian/changelog | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 2dbca46..8f83a3c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,40 @@ +postgresql-16 (16.3-1) unstable; urgency=medium + + * New upstream version. + + + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to + the table owner (Nathan Bossart) + + These views failed to hide statistics for expressions that involve + columns the accessing user does not have permission to read. View + columns such as most_common_vals might expose security-relevant data. + The potential interactions here are not fully clear, so in the interest + of erring on the side of safety, make rows in these views visible only + to the owner of the associated table. + + The PostgreSQL Project thanks Lukas Fittl for reporting this problem. + (CVE-2024-4317) + + By itself, this fix will only fix the behavior in newly initdb'd + database clusters. If you wish to apply this change in an existing + cluster, you will need to do the following: + + In each database of the cluster, run the fix-CVE-2024-4317.sql script + as superuser. In psql this would look like + \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql + Any error probably indicates that you've used the wrong script + version. It will not hurt to run the script more than once. + + Do not forget to include the template0 and template1 databases, or the + vulnerability will still exist in databases you create later. To fix + template0, you'll need to temporarily make it accept connections. Do + that with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; + and then after fixing template0, undo it with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; + + -- Christoph Berg <myon@debian.org> Tue, 07 May 2024 11:24:26 +0200 + postgresql-16 (16.2-2) unstable; urgency=medium * Add Build-Profile pkg.postgresql.nollvm to disable JIT. |