diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-14 19:16:25 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-14 19:16:25 +0000 |
| commit | 040e5d5e9b934434df1d4d9e8209b32a045f1196 (patch) | |
| tree | 6e8ff18a74f9ffad0992b91d8d4e969ebd3f4620 /debian | |
| parent | Merging upstream version 16.3. (diff) | |
| download | postgresql-16-040e5d5e9b934434df1d4d9e8209b32a045f1196.tar.xz postgresql-16-040e5d5e9b934434df1d4d9e8209b32a045f1196.zip | |
Merging debian version 16.3-1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 4b86c4a..112da12 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,40 @@ +postgresql-16 (16.3-1) unstable; urgency=medium + + * New upstream version. + + + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to + the table owner (Nathan Bossart) + + These views failed to hide statistics for expressions that involve + columns the accessing user does not have permission to read. View + columns such as most_common_vals might expose security-relevant data. + The potential interactions here are not fully clear, so in the interest + of erring on the side of safety, make rows in these views visible only + to the owner of the associated table. + + The PostgreSQL Project thanks Lukas Fittl for reporting this problem. + (CVE-2024-4317) + + By itself, this fix will only fix the behavior in newly initdb'd + database clusters. If you wish to apply this change in an existing + cluster, you will need to do the following: + + In each database of the cluster, run the fix-CVE-2024-4317.sql script + as superuser. In psql this would look like + \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql + Any error probably indicates that you've used the wrong script + version. It will not hurt to run the script more than once. + + Do not forget to include the template0 and template1 databases, or the + vulnerability will still exist in databases you create later. To fix + template0, you'll need to temporarily make it accept connections. Do + that with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; + and then after fixing template0, undo it with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; + + -- Christoph Berg <myon@debian.org> Tue, 07 May 2024 11:24:26 +0200 + postgresql-16 (16.2-2~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: |