From 040e5d5e9b934434df1d4d9e8209b32a045f1196 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 14 May 2024 21:16:25 +0200 Subject: Merging debian version 16.3-1. Signed-off-by: Daniel Baumann --- debian/changelog | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 4b86c4a..112da12 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,40 @@ +postgresql-16 (16.3-1) unstable; urgency=medium + + * New upstream version. + + + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to + the table owner (Nathan Bossart) + + These views failed to hide statistics for expressions that involve + columns the accessing user does not have permission to read. View + columns such as most_common_vals might expose security-relevant data. + The potential interactions here are not fully clear, so in the interest + of erring on the side of safety, make rows in these views visible only + to the owner of the associated table. + + The PostgreSQL Project thanks Lukas Fittl for reporting this problem. + (CVE-2024-4317) + + By itself, this fix will only fix the behavior in newly initdb'd + database clusters. If you wish to apply this change in an existing + cluster, you will need to do the following: + + In each database of the cluster, run the fix-CVE-2024-4317.sql script + as superuser. In psql this would look like + \i /usr/share/postgresql/16/fix-CVE-2024-4317.sql + Any error probably indicates that you've used the wrong script + version. It will not hurt to run the script more than once. + + Do not forget to include the template0 and template1 databases, or the + vulnerability will still exist in databases you create later. To fix + template0, you'll need to temporarily make it accept connections. Do + that with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; + and then after fixing template0, undo it with + ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; + + -- Christoph Berg Tue, 07 May 2024 11:24:26 +0200 + postgresql-16 (16.2-2~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: -- cgit v1.2.3