summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/changelog37
1 files changed, 37 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 2dbca46..8f83a3c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,40 @@
+postgresql-16 (16.3-1) unstable; urgency=medium
+
+ * New upstream version.
+
+ + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to
+ the table owner (Nathan Bossart)
+
+ These views failed to hide statistics for expressions that involve
+ columns the accessing user does not have permission to read. View
+ columns such as most_common_vals might expose security-relevant data.
+ The potential interactions here are not fully clear, so in the interest
+ of erring on the side of safety, make rows in these views visible only
+ to the owner of the associated table.
+
+ The PostgreSQL Project thanks Lukas Fittl for reporting this problem.
+ (CVE-2024-4317)
+
+ By itself, this fix will only fix the behavior in newly initdb'd
+ database clusters. If you wish to apply this change in an existing
+ cluster, you will need to do the following:
+
+ In each database of the cluster, run the fix-CVE-2024-4317.sql script
+ as superuser. In psql this would look like
+ \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql
+ Any error probably indicates that you've used the wrong script
+ version. It will not hurt to run the script more than once.
+
+ Do not forget to include the template0 and template1 databases, or the
+ vulnerability will still exist in databases you create later. To fix
+ template0, you'll need to temporarily make it accept connections. Do
+ that with
+ ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
+ and then after fixing template0, undo it with
+ ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
+
+ -- Christoph Berg <myon@debian.org> Tue, 07 May 2024 11:24:26 +0200
+
postgresql-16 (16.2-2) unstable; urgency=medium
* Add Build-Profile pkg.postgresql.nollvm to disable JIT.