diff options
Diffstat (limited to '')
-rw-r--r-- | debian/changelog | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 2dbca46..8f83a3c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,40 @@ +postgresql-16 (16.3-1) unstable; urgency=medium + + * New upstream version. + + + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to + the table owner (Nathan Bossart) + + These views failed to hide statistics for expressions that involve + columns the accessing user does not have permission to read. View + columns such as most_common_vals might expose security-relevant data. + The potential interactions here are not fully clear, so in the interest + of erring on the side of safety, make rows in these views visible only + to the owner of the associated table. + + The PostgreSQL Project thanks Lukas Fittl for reporting this problem. + (CVE-2024-4317) + + By itself, this fix will only fix the behavior in newly initdb'd + database clusters. If you wish to apply this change in an existing + cluster, you will need to do the following: + + In each database of the cluster, run the fix-CVE-2024-4317.sql script + as superuser. In psql this would look like + \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql + Any error probably indicates that you've used the wrong script + version. It will not hurt to run the script more than once. + + Do not forget to include the template0 and template1 databases, or the + vulnerability will still exist in databases you create later. To fix + template0, you'll need to temporarily make it accept connections. Do + that with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; + and then after fixing template0, undo it with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; + + -- Christoph Berg <myon@debian.org> Tue, 07 May 2024 11:24:26 +0200 + postgresql-16 (16.2-2) unstable; urgency=medium * Add Build-Profile pkg.postgresql.nollvm to disable JIT. |