-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 11 Aug 2022 14:00:26 +0200 Source: postgresql-13 Architecture: source Version: 13.8-0+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-13 (13.8-0+deb11u1) bullseye; urgency=medium . * New upstream version. . + Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) (CVE-2022-2625) . This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to. . The PostgreSQL Project thanks Sven Klemm for reporting this problem. Checksums-Sha1: 1ff0b282d64f4f66e5c4ae866c7d990af8107415 3696 postgresql-13_13.8-0+deb11u1.dsc a6e894c7d88667a70730493669c1d57e3196c062 21397381 postgresql-13_13.8.orig.tar.bz2 c9f276b204bf3989a2dc593c0decdde66db9469a 29420 postgresql-13_13.8-0+deb11u1.debian.tar.xz Checksums-Sha256: da40b0d06a21d9a8081aaabcb7d8a37efdd96797610a33936d3494b139501fcb 3696 postgresql-13_13.8-0+deb11u1.dsc 73876fdd3a517087340458dca4ce15b8d2a4dbceb334c0441424551ae6c4cded 21397381 postgresql-13_13.8.orig.tar.bz2 2563cefe583b0ca0bb986decd8c24e9748b46fc35d96ea2b5e6b679d689c920a 29420 postgresql-13_13.8-0+deb11u1.debian.tar.xz Files: 4a81308d875e15423abc3deb1de3024c 3696 database optional postgresql-13_13.8-0+deb11u1.dsc ec56d5c6dbff89a771d00dd7ec9d4d23 21397381 database optional postgresql-13_13.8.orig.tar.bz2 8ec7c7d93e0b6a236432180568a3ede7 29420 database optional postgresql-13_13.8-0+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmL07/oACgkQTFprqxLS p64I5xAAg7uKSOeq3Tveb8Dj6gX4ldbSsFQHUm2mjhn+nweP6/z3QWzZ3P8zorC1 tPlZlLF052j7/BnGCzlFIzQic79sXDFFuR3enF6C3BoYWtnNSzMRWD/EuiLQ1Ycy 2W1SziyHCg874ug/S0JLQbL/RPuVPB1jOWCHXg8+U9w69bfJHGovTR6z3Fe4CvUk BItdXNHUAEIFSH0l5jHkJammVuDmgmYkJy+4wUDNskS+m7RGcly0TdjRTDHFYfUq aVWeZrLLZmLlfOABq8CtKNk0CI0JtR+2G2WZEsA0ewe3ttYfJ1pwqOMpm7o29QVg oCnnR2lPnvFNUu/TeCoADBOMehORw+U0SX3aduFOCaODkCdnKuWvEkAjhw8Hl8C7 wJcKx16K13aE7QvSuZTrD0AAZMEygQnkt7c310nDD6em4fwPPlMaBngbxvEPqWnm oiTbo+DppDsSr15jEL5Tf+Ti5bUsAXoRYjew1VhFXpMwkKxeMfCPdGqHpS6Wln// JBNq2adr/fZQlKJZhSBdozYJHDkvRutb6hCAVzFf7aAmF9wFIDCW6JwjwOiJKiUx LJSvp5OVGfokCQ6EC3fgyGENG6/4ueTqJbQ1rhssZuo1Rf1Z4P/iALNgkalDBglw TviSTMevnD84FHfs3n2QGE6HkQmONp7e/3arN4a1Nni/TjnF/XQ= =AZix -----END PGP SIGNATURE-----