diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-21 05:05:26 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-21 05:05:26 +0000 |
| commit | be09f4f1d6d620939e60841cd518bcedc3d1ba6d (patch) | |
| tree | 56d00c31edfaea1bf64e77fe9787156ad350fa4e /debian | |
| parent | Merging upstream version 15.7. (diff) | |
| download | postgresql-15-be09f4f1d6d620939e60841cd518bcedc3d1ba6d.tar.xz postgresql-15-be09f4f1d6d620939e60841cd518bcedc3d1ba6d.zip | |
Merging debian version 15.7-0+deb12u1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 0ca1ae3..92895d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,40 @@ +postgresql-15 (15.7-0+deb12u1) bookworm; urgency=medium + + * New upstream version. + + + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to + the table owner (Nathan Bossart) + + These views failed to hide statistics for expressions that involve + columns the accessing user does not have permission to read. View + columns such as most_common_vals might expose security-relevant data. + The potential interactions here are not fully clear, so in the interest + of erring on the side of safety, make rows in these views visible only + to the owner of the associated table. + + The PostgreSQL Project thanks Lukas Fittl for reporting this problem. + (CVE-2024-4317) + + By itself, this fix will only fix the behavior in newly initdb'd + database clusters. If you wish to apply this change in an existing + cluster, you will need to do the following: + + In each database of the cluster, run the fix-CVE-2024-4317.sql script + as superuser. In psql this would look like + \i /usr/share/postgresql/15/fix-CVE-2024-4317.sql + Any error probably indicates that you've used the wrong script + version. It will not hurt to run the script more than once. + + Do not forget to include the template0 and template1 databases, or the + vulnerability will still exist in databases you create later. To fix + template0, you'll need to temporarily make it accept connections. Do + that with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; + and then after fixing template0, undo it with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; + + -- Christoph Berg <myon@debian.org> Tue, 07 May 2024 11:24:26 +0200 + postgresql-15 (15.6-0+deb12u1~progress6.99u1) fuchur-backports; urgency=medium * Uploading to fuchur-backports, remaining changes: |