-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 08 Aug 2023 10:10:20 +0200 Source: postgresql-15 Architecture: source Version: 15.4-1 Distribution: unstable Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-15 (15.4-1) unstable; urgency=medium . * New upstream version. . + Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch) . This restriction guards against SQL-injection hazards for trusted extensions. . The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417) . + Fix MERGE to enforce row security policies properly (Dean Rasheed) . When MERGE performs an UPDATE action, it should enforce any UPDATE or SELECT RLS policies defined on the target table, to be consistent with the way that a plain UPDATE with a WHERE clause works. Instead it was enforcing INSERT RLS policies for both INSERT and UPDATE actions. . In addition, when MERGE performs a DO NOTHING action, it applied the target table's DELETE RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors. . The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2023-39418) . * Test-Depend on tzdata-legacy | tzdata (<< 2023c-8). Checksums-Sha1: 0cf97fc31a83276addc2ec2c6359940e5d6f9e96 3965 postgresql-15_15.4-1.dsc 9024e68120af0f033d3331c7f298af5a7b2e2bce 22850355 postgresql-15_15.4.orig.tar.bz2 235d84eb1635cbcd21fb28a317e32539fe466274 25160 postgresql-15_15.4-1.debian.tar.xz Checksums-Sha256: 2b4efdfd5d2a90af878b034cb3a7dbd198465759a0f4826e285f54b99f6f5e5d 3965 postgresql-15_15.4-1.dsc baec5a4bdc4437336653b6cb5d9ed89be5bd5c0c58b94e0becee0a999e63c8f9 22850355 postgresql-15_15.4.orig.tar.bz2 a70d90764e75f6df949ef834aef7af294881ef996d9a7e47a4fe61a464f0c732 25160 postgresql-15_15.4-1.debian.tar.xz Files: 6fea07d9187a4395b76034b7de97969f 3965 database optional postgresql-15_15.4-1.dsc f2f861fb99d742cb9c2f8aa46a8a947d 22850355 database optional postgresql-15_15.4.orig.tar.bz2 755663bcf159c57865be06ef63dcc2bb 25160 database optional postgresql-15_15.4-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmTU19sACgkQTFprqxLS p66eBBAAjW5HG9iulFhwK9cYMOOYFBbKbwhTUfyHDXfF7aI/IA8AsUUKbPenmtbS hb4ThZXjaHYaYAljJ1OOMNEFgfGqPkqjcW8tgJPZo3kA/zQV2D+H5V5V7fICF2W7 zgoRDdeY4XPYIJqhJEYXP32lXZpILqXUla/7phNc7isG6wdNe8Ne6j9WW2QwrL1s SeRyPRBVrTdxbUtfg3pYbq/012GbRfC3q1ceUvAldSK52LcXglm3KZX5JNWOY6Ll KMVK57ySyiB6CzO/qEO2o8fPVf6+N2sHsxyq3x2qf1wFAtaDxWnn3PM+6T1YzbTG pPzjqFVw2NwpxHQcAEFGL1TTWNWxbwKXJIKHpp8rEKRnh/92MxOn6sULNJNJG1u/ 8e7f9EEyxor7QgsgYEu1oxKS0L07RFc0KQ5/32etRgEP85iBTbMJcElEczqwV1yV zYjyB2nP4+3vEOyYDKD14d5Yjzb0PPhQQ/FqIMTQBEwWXYZzbGxk3z315cV+im2x rReY1bzNN79+l3IBp9OuxdpthQU4lHkpZllGOG3HiGo9E6gUo5DCmp0o4L8Sz8Td tT4TFb49u3a2Ln6+nqkE8pzBemm5YfqVYFGL3T5zfdeUwn7kqvtIxlreXhdSxFO9 LQqndg4Jvt1GgPLgcwmng89PKqMk9DC2eOOlS5AyVlbmYTu9h0w= =iUN0 -----END PGP SIGNATURE-----