-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 07 May 2024 11:24:26 +0200 Source: postgresql-15 Architecture: source Version: 15.7-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-15 (15.7-0+deb12u1) bookworm; urgency=medium . * New upstream version. . + Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (Nathan Bossart) . These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table. . The PostgreSQL Project thanks Lukas Fittl for reporting this problem. (CVE-2024-4317) . By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following: . In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like \i /usr/share/postgresql/15/fix-CVE-2024-4317.sql Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once. . Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; and then after fixing template0, undo it with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; Checksums-Sha1: 738f7799a5517dad48a8f33f2c0a13079d906c65 3919 postgresql-15_15.7-0+deb12u1.dsc 19ba3004c650c32bb803d5b3f56c0446585c8fb3 23112318 postgresql-15_15.7.orig.tar.bz2 80cae382f818dc88765d4c0fcb943c62faf78198 25824 postgresql-15_15.7-0+deb12u1.debian.tar.xz Checksums-Sha256: 57f0e1a9dd1bcaced27b76163cdf3477258145a68dc81f7ed87db8263a3ca4ac 3919 postgresql-15_15.7-0+deb12u1.dsc a46fe49485ab6385e39dabbbb654f5d3049206f76cd695e224268729520998f7 23112318 postgresql-15_15.7.orig.tar.bz2 2ffc0fd608d71ab8b2bd0cd00c6f870e3f73a31b64659e5b5555ac0c0e1cb697 25824 postgresql-15_15.7-0+deb12u1.debian.tar.xz Files: aa0e842941f2ed2c5e4abf610729dd7a 3919 database optional postgresql-15_15.7-0+deb12u1.dsc d0a59b6d7a64075deca08dbf44f58d35 23112318 database optional postgresql-15_15.7.orig.tar.bz2 c6b0fc037eba0ca6564696d8f6ef8b28 25824 database optional postgresql-15_15.7-0+deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmY9IJ0ACgkQTFprqxLS p67b+w/+P2pW0cNJp0af7xie1hxDS43sJjX91KYJMUBJmSkqEszSvhFhmxzYPu5s U20IJsG4m4ZdgBWbKGafdO7ni0WajelwLECdnpEgD/syI8euNhCBnrSxGxom2OCk OWOr0KOerwUJ0vK81u7E5Mq0dqd8uVxwnESRNKhC1V9C6QnbJ4cuycBCARHWFH8f EuTLucecs7OzCwpo25tx+PooP9fFwLHG9GgxFAZfEbrsD6+JN5XjrK6po1VHu4fU y+kVWVW9K7AweCXH0MDh3HSAK+iISouz04Mn2Z2Fp0Lj1fSyMhvIp4tprxWAZaN4 4ui9U9bq7aW4cYmCpSRr9y0na0mFSKijUgcxTwdElOiAwqvFnD8wmCfWlTnY+W5d gRb3B73q1Y+DmXuN6J0DZsyQf0/NOTLkz1TqAWXhAEVg5FrZiQ74z+RyVkGNPB4l 9KKVxJX5V4hKRP7bfhkvvTui7rBzPxaRVDVfaJdhpbzst5fwK2yPTWeZleiTM4Gs I5Ho6tKcl9+ys/BqleOOjZofev3+WIZMkSTBIjZW8GD3g6u02MRwpCaCcpNb4u5G BJxB81bIT6ERxl6mFQymB2b/fm2EFNpcTjh1rrf0wz3ajwV1pWkr6EPzR6cVJiX1 5JiCpoXKBEXWI5YMhSJ9ZU16/dGllR2R2e9FYGeSSrA+3t5ckKA= =zeS5 -----END PGP SIGNATURE-----