-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 07 Aug 2024 16:09:15 +0200 Source: postgresql-13 Architecture: source Version: 13.16-0+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: postgresql-13 (13.16-0+deb11u1) bullseye-security; urgency=medium . * New upstream version. . + Prevent unauthorized code execution during pg_dump (Masahiko Sawada) . An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix. . The PostgreSQL Project thanks Noah Misch for reporting this problem. (CVE-2024-7348) Checksums-Sha1: 32d573b94e33fbffbe8e1820d1ce38fd1eaf40e9 3703 postgresql-13_13.16-0+deb11u1.dsc a2465d5086abb2b2ff9115541cae404f869dfa0f 21639411 postgresql-13_13.16.orig.tar.bz2 e8bdc30531b4382becf4d20965fa7e5d4255751b 35060 postgresql-13_13.16-0+deb11u1.debian.tar.xz Checksums-Sha256: c1c95c213760880a6b86a38b95c27cc0559fc9db98955579eb95b7176ac9dc2e 3703 postgresql-13_13.16-0+deb11u1.dsc c9cbbb6129f02328204828066bb3785c00a85c8ca8fd329c2a8a53c1f5cd8865 21639411 postgresql-13_13.16.orig.tar.bz2 8c68c86c19f783c4ea8ade14c56998c5843d4fbde004e4253604652a0d55efdf 35060 postgresql-13_13.16-0+deb11u1.debian.tar.xz Files: 74bf5b7191a6e2604dff8989deadd2ae 3703 database optional postgresql-13_13.16-0+deb11u1.dsc 111a4b3e1a91aeb72097a9bfa4b3b7dc 21639411 database optional postgresql-13_13.16.orig.tar.bz2 d4b09448f03432189260e18a50326f79 35060 database optional postgresql-13_13.16-0+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAma00o4ACgkQTFprqxLS p66ryQ//RAvWUTrHxFhKSdr04GWEpqbs21HA+iPU1pmMnAVQaXsK4UB8NFb7JToc 3ov3s64OcT4YALRCze5v++PznZBssJTsxfOyLQPKK5OQF7LdZtQdLbvl6tGMLyob acRt+gghNPrNU0n1N+2P/xb6ReqwyCXNlu/q4uFghczE5xUsRAy98zRtZx/lO4wV u+MPuyyeVb6RlQtjZy+evhHef6I7l91c9pyueVR/bRkeNqsXVmQSYMk+asa/+B4y cl/n3vtZq+VShr2Dpn6u2XCq3uVsdj5HhRq8562w/LgvnUZMq7gjhi7cpUIhH7Ra hT7TK36xK8fm2sHAqsF7A5Pu3YZjbFsjQoiN98KZCnPVuLc8MCGE3IKkPWkIglQ0 xajRtU0N4u2bXVLiv8PvysYL1dDKm2yZcOBRxuwBEkSH7zWpqJxC9ez2LxpvU2Fu ZEYn9EvJ5QaskF+HsYjSlhxUsjDuuSG1G04lPRiPbNDg7ATVwORXAvUGkJgSngKS lO404kKDFF7Z2PI3HonMY/RXr/Q7N7QAbf1okO7WIvEOmxqd0LPG640C01t8cB0/ se4fs0wymVSFqrk9O+1JQjlu0+xKCfVLGEYofUSO5fEJ26P1K0IqD7oDhMjn01KR MgE1NJptitvHBXi/qqskXruhcuuYbG7jAc7xIY7z+I9/50ih/Ws= =A1Fm -----END PGP SIGNATURE-----