-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 May 2024 11:24:26 +0200
Source: postgresql-16
Architecture: source
Version: 16.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-16 (16.3-1) unstable; urgency=medium
.
* New upstream version.
.
+ Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to
the table owner (Nathan Bossart)
.
These views failed to hide statistics for expressions that involve
columns the accessing user does not have permission to read. View
columns such as most_common_vals might expose security-relevant data.
The potential interactions here are not fully clear, so in the interest
of erring on the side of safety, make rows in these views visible only
to the owner of the associated table.
.
The PostgreSQL Project thanks Lukas Fittl for reporting this problem.
(CVE-2024-4317)
.
By itself, this fix will only fix the behavior in newly initdb'd
database clusters. If you wish to apply this change in an existing
cluster, you will need to do the following:
.
In each database of the cluster, run the fix-CVE-2024-4317.sql script
as superuser. In psql this would look like
\i /usr/share/postgresql/16/fix-CVE-2024-4317.sql
Any error probably indicates that you've used the wrong script
version. It will not hurt to run the script more than once.
.
Do not forget to include the template0 and template1 databases, or the
vulnerability will still exist in databases you create later. To fix
template0, you'll need to temporarily make it accept connections. Do
that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo it with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Checksums-Sha1:
de3905e5e9f1c180158ac8cd4b66fedcdeb026d7 4237 postgresql-16_16.3-1.dsc
35ffeb5cc46dc773dfcd1f270d65a29777994b3a 24737644 postgresql-16_16.3.orig.tar.bz2
b4459d0393955465a6b9b2bf699cbd758acf2f5b 31856 postgresql-16_16.3-1.debian.tar.xz
Checksums-Sha256:
e0e58b8ff4305155b99f510f95ed48bc163d7b686572e432e1074ae865e6ec21 4237 postgresql-16_16.3-1.dsc
331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585 24737644 postgresql-16_16.3.orig.tar.bz2
fda53b9c8d539d0437b8ccd99b0b379bc5a068d87104b94150c0b9e538ee405f 31856 postgresql-16_16.3-1.debian.tar.xz
Files:
6dbc019a26008944f733cc9ef17b2d7e 4237 database optional postgresql-16_16.3-1.dsc
68448849f923db194a07b9da9cc70a7d 24737644 database optional postgresql-16_16.3.orig.tar.bz2
4b03c096abb68ca98644aef4367e092e 31856 database optional postgresql-16_16.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmY86rAACgkQTFprqxLS
p65duA/+LeQOzSBrLxNb8iS4YFuxaFlLan18RjVlYj9bbI1vLb17CzzzA2QKQUL+
FJ3KFH7/yTS1z1JYOBY75wXhykPDY3EiPxJ5ZBh7G4ktDwOiqmnCJlhX3fuwJLe1
LVzco1KF04dpft0gpgTEvZBXEtCNJpNyVfx9PXZOcsJGrIToBk1tlIyP0RNSrjYq
YtsiZ8f+0VBp4sYZQWUePubSvFhnhVGSADxRntpov7aAMApmYn+d3/6ocXYcpcSl
UmG8C4Rbl1b5llqk2kUFTiDCDUd0i0USJABBYkq64a4RGh5NchI4GIGam6fsT9iJ
Dn15aAlhIK/J608u8fvC4qpZ/GY327o23jbY7E0l3z9dMjRFvNCNMUP/m3uXgkWA
+gXvlb6EAf4JBOSKNwWFs0gunJhVp8QAOI1NfQUdOqLOsekx+l383xdkqHyRtoCQ
4OXtUSYYMzS2qJ2P0Tn+KDfrnFdcX+ZtL5gX57KKhtECrgLSvEhrMxnLc51f2gSC
l/WCHoIk6XL8+kpFEvLzJWclE9v7NQ5KjP3Hi97wcNv3pbCwQJYX9/liBPzNE791
0s0oT4SlhZg4bHyELZBrwzYvtCnJub68oAF5Yzoz0mcTClwsAQXb6C+2tXcLy+is
R6/4Zsg09REzwPDN2jF9CfZ9+GKBHCEfzOfEHLHQp02wm+JmIB0=
=9o4/
-----END PGP SIGNATURE-----
