Accepted postgresql-13 13.8-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 11 Aug 2022 14:00:26 +0200
Source: postgresql-13
Architecture: source
Version: 13.8-0+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-13 (13.8-0+deb11u1) bullseye; urgency=medium
.
* New upstream version.
.
+ Do not let extension scripts replace objects not already belonging to
the extension (Tom Lane) (CVE-2022-2625)
.
This change prevents extension scripts from doing CREATE OR REPLACE if
there is an existing object that does not belong to the extension. It
also prevents CREATE IF NOT EXISTS in the same situation. This prevents
a form of trojan-horse attack in which a hostile database user could
become the owner of an extension object and then modify it to compromise
future uses of the object by other users. As a side benefit, it also
reduces the risk of accidentally replacing objects one did not mean to.
.
The PostgreSQL Project thanks Sven Klemm for reporting this problem.
Checksums-Sha1:
1ff0b282d64f4f66e5c4ae866c7d990af8107415 3696 postgresql-13_13.8-0+deb11u1.dsc
a6e894c7d88667a70730493669c1d57e3196c062 21397381 postgresql-13_13.8.orig.tar.bz2
c9f276b204bf3989a2dc593c0decdde66db9469a 29420 postgresql-13_13.8-0+deb11u1.debian.tar.xz
Checksums-Sha256:
da40b0d06a21d9a8081aaabcb7d8a37efdd96797610a33936d3494b139501fcb 3696 postgresql-13_13.8-0+deb11u1.dsc
73876fdd3a517087340458dca4ce15b8d2a4dbceb334c0441424551ae6c4cded 21397381 postgresql-13_13.8.orig.tar.bz2
2563cefe583b0ca0bb986decd8c24e9748b46fc35d96ea2b5e6b679d689c920a 29420 postgresql-13_13.8-0+deb11u1.debian.tar.xz
Files:
4a81308d875e15423abc3deb1de3024c 3696 database optional postgresql-13_13.8-0+deb11u1.dsc
ec56d5c6dbff89a771d00dd7ec9d4d23 21397381 database optional postgresql-13_13.8.orig.tar.bz2
8ec7c7d93e0b6a236432180568a3ede7 29420 database optional postgresql-13_13.8-0+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmL07/oACgkQTFprqxLS
p64I5xAAg7uKSOeq3Tveb8Dj6gX4ldbSsFQHUm2mjhn+nweP6/z3QWzZ3P8zorC1
tPlZlLF052j7/BnGCzlFIzQic79sXDFFuR3enF6C3BoYWtnNSzMRWD/EuiLQ1Ycy
2W1SziyHCg874ug/S0JLQbL/RPuVPB1jOWCHXg8+U9w69bfJHGovTR6z3Fe4CvUk
BItdXNHUAEIFSH0l5jHkJammVuDmgmYkJy+4wUDNskS+m7RGcly0TdjRTDHFYfUq
aVWeZrLLZmLlfOABq8CtKNk0CI0JtR+2G2WZEsA0ewe3ttYfJ1pwqOMpm7o29QVg
oCnnR2lPnvFNUu/TeCoADBOMehORw+U0SX3aduFOCaODkCdnKuWvEkAjhw8Hl8C7
wJcKx16K13aE7QvSuZTrD0AAZMEygQnkt7c310nDD6em4fwPPlMaBngbxvEPqWnm
oiTbo+DppDsSr15jEL5Tf+Ti5bUsAXoRYjew1VhFXpMwkKxeMfCPdGqHpS6Wln//
JBNq2adr/fZQlKJZhSBdozYJHDkvRutb6hCAVzFf7aAmF9wFIDCW6JwjwOiJKiUx
LJSvp5OVGfokCQ6EC3fgyGENG6/4ueTqJbQ1rhssZuo1Rf1Z4P/iALNgkalDBglw
TviSTMevnD84FHfs3n2QGE6HkQmONp7e/3arN4a1Nni/TjnF/XQ=
=AZix
-----END PGP SIGNATURE-----
Reply to: