-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 May 2024 11:24:26 +0200
Source: postgresql-15
Architecture: source
Version: 15.7-0+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-15 (15.7-0+deb12u1) bookworm; urgency=medium
.
* New upstream version.
.
+ Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to
the table owner (Nathan Bossart)
.
These views failed to hide statistics for expressions that involve
columns the accessing user does not have permission to read. View
columns such as most_common_vals might expose security-relevant data.
The potential interactions here are not fully clear, so in the interest
of erring on the side of safety, make rows in these views visible only
to the owner of the associated table.
.
The PostgreSQL Project thanks Lukas Fittl for reporting this problem.
(CVE-2024-4317)
.
By itself, this fix will only fix the behavior in newly initdb'd
database clusters. If you wish to apply this change in an existing
cluster, you will need to do the following:
.
In each database of the cluster, run the fix-CVE-2024-4317.sql script
as superuser. In psql this would look like
\i /usr/share/postgresql/15/fix-CVE-2024-4317.sql
Any error probably indicates that you've used the wrong script
version. It will not hurt to run the script more than once.
.
Do not forget to include the template0 and template1 databases, or the
vulnerability will still exist in databases you create later. To fix
template0, you'll need to temporarily make it accept connections. Do
that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo it with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Checksums-Sha1:
738f7799a5517dad48a8f33f2c0a13079d906c65 3919 postgresql-15_15.7-0+deb12u1.dsc
19ba3004c650c32bb803d5b3f56c0446585c8fb3 23112318 postgresql-15_15.7.orig.tar.bz2
80cae382f818dc88765d4c0fcb943c62faf78198 25824 postgresql-15_15.7-0+deb12u1.debian.tar.xz
Checksums-Sha256:
57f0e1a9dd1bcaced27b76163cdf3477258145a68dc81f7ed87db8263a3ca4ac 3919 postgresql-15_15.7-0+deb12u1.dsc
a46fe49485ab6385e39dabbbb654f5d3049206f76cd695e224268729520998f7 23112318 postgresql-15_15.7.orig.tar.bz2
2ffc0fd608d71ab8b2bd0cd00c6f870e3f73a31b64659e5b5555ac0c0e1cb697 25824 postgresql-15_15.7-0+deb12u1.debian.tar.xz
Files:
aa0e842941f2ed2c5e4abf610729dd7a 3919 database optional postgresql-15_15.7-0+deb12u1.dsc
d0a59b6d7a64075deca08dbf44f58d35 23112318 database optional postgresql-15_15.7.orig.tar.bz2
c6b0fc037eba0ca6564696d8f6ef8b28 25824 database optional postgresql-15_15.7-0+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmY9IJ0ACgkQTFprqxLS
p67b+w/+P2pW0cNJp0af7xie1hxDS43sJjX91KYJMUBJmSkqEszSvhFhmxzYPu5s
U20IJsG4m4ZdgBWbKGafdO7ni0WajelwLECdnpEgD/syI8euNhCBnrSxGxom2OCk
OWOr0KOerwUJ0vK81u7E5Mq0dqd8uVxwnESRNKhC1V9C6QnbJ4cuycBCARHWFH8f
EuTLucecs7OzCwpo25tx+PooP9fFwLHG9GgxFAZfEbrsD6+JN5XjrK6po1VHu4fU
y+kVWVW9K7AweCXH0MDh3HSAK+iISouz04Mn2Z2Fp0Lj1fSyMhvIp4tprxWAZaN4
4ui9U9bq7aW4cYmCpSRr9y0na0mFSKijUgcxTwdElOiAwqvFnD8wmCfWlTnY+W5d
gRb3B73q1Y+DmXuN6J0DZsyQf0/NOTLkz1TqAWXhAEVg5FrZiQ74z+RyVkGNPB4l
9KKVxJX5V4hKRP7bfhkvvTui7rBzPxaRVDVfaJdhpbzst5fwK2yPTWeZleiTM4Gs
I5Ho6tKcl9+ys/BqleOOjZofev3+WIZMkSTBIjZW8GD3g6u02MRwpCaCcpNb4u5G
BJxB81bIT6ERxl6mFQymB2b/fm2EFNpcTjh1rrf0wz3ajwV1pWkr6EPzR6cVJiX1
5JiCpoXKBEXWI5YMhSJ9ZU16/dGllR2R2e9FYGeSSrA+3t5ckKA=
=zeS5
-----END PGP SIGNATURE-----
