-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 11 May 2022 15:03:33 +0200 Source: postgresql-13 Architecture: source Version: 13.7-0+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-13 (13.7-0+deb11u1) bullseye-security; urgency=medium . * New upstream release. . * Confine additional operations within security restricted operation sandboxes (Sergey Shinderuk, Noah Misch) . Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the security restricted operation protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it. . The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552) . * Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov) . The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.) Checksums-Sha1: d5c5758798d2cbf235de5d5bce9f026bf2abd3f5 3696 postgresql-13_13.7-0+deb11u1.dsc cb4c0aed7cee21f3a1f4756fc61054d8ba756e2b 21364433 postgresql-13_13.7.orig.tar.bz2 5d28baed6e27b9d735de76e8ab89055e360a46c9 29364 postgresql-13_13.7-0+deb11u1.debian.tar.xz Checksums-Sha256: 02a07efd157ea960d301d1ac0be53415118bb3ee5a2e797e65cd170c22961782 3696 postgresql-13_13.7-0+deb11u1.dsc 1b905bf4f3d83614a393b3c51fd345910fd261e4f5124a68d9a1fdd3a2a46399 21364433 postgresql-13_13.7.orig.tar.bz2 a05cfcf96856339962efcf78e236dab922cfb5889e13f2a34d9eb9fb4cb24b90 29364 postgresql-13_13.7-0+deb11u1.debian.tar.xz Files: 186a281b3e82168477bfbf83234c41ca 3696 database optional postgresql-13_13.7-0+deb11u1.dsc dba6e30a292af33996e84a5b0a3739a4 21364433 database optional postgresql-13_13.7.orig.tar.bz2 056099d405802b63448fd1e4a8df7242 29364 database optional postgresql-13_13.7-0+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmJ7tVUACgkQTFprqxLS p66K6w/+KhqkrMXjNSxD6TLtUI0r36LwGyyIapFLRIHnebi0WJKT7NHpyOV6Ml5E 81bboIwqx5quDIYTpO9FTp2VpbxS6ymcg/myl8aN9X+9N4ko+lrMchIKVvoHkf+l Nm2OyrdbzmWMI0BqjYMXwgoY0lZ8mkj2yR2QwMyTcWMW2qjWWeL5YR5G58yCmmFw fyZSKORbstvVMpKlMj6JeXc53Rqit0b1HqZnvPIomXZ/E8ryCFysDbJkdWRFKTOo o1Derz9CcpzmGZaY/uVGwE+M+9fxSocUmqcrcgjeScXcQcG9dajuj2uL69X7OlwM nTnf/tb/eThgcnuotiTagQKOs3V3RceoIdkvoPMJ4UA30+RCAZkHPDEy4zn7wmxe s2WSDMpTXZo3mdRHEm968g5ySIVNYg7i7UHDIwnKEqZPKkOiSxGu3aUsUZ8iVzRY vJfP8jtT4b6Spw3fmTBYBHU8kvvLP6PggAXm7aK/ShOfsaXDwMa0Ee2Wnzc8c7f5 iYqK8Snf8ZgC0NqQBmcAgotLf/Nb7/oaVobrbSdBCe4n5aCpk0jLEyShgNNKng40 aDbtr7k6e2AecogN/BEuPRyztQ1s6pwEXEOrRP65pXPRRLHvIO+K1haA9CSZ6pDd L7G7vnCy48ZuxYfeitw5oeFwf0OPQqnREgnDQTJ/tGu5FJRAT6o= =B7jM -----END PGP SIGNATURE-----