-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Aug 2025 13:03:55 +0200
Source: postgresql-17
Architecture: source
Version: 17.6-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Closes: 1107984
Changes:
postgresql-17 (17.6-0+deb13u1) trixie; urgency=medium
.
* New upstream version 17.6.
.
+ Tighten security checks in planner estimation functions (Dean Rasheed)
.
The fix for CVE-2017-7484, plus followup fixes, intended to prevent
leaky functions from being applied to statistics data for columns that
the calling user does not have permission to read. Two gaps in that
protection have been found. One gap applies to partitioning and
inheritance hierarchies where RLS policies on the tables should restrict
access to statistics data, but did not.
.
The other gap applies to cases where the query accesses a table via a
view, and the view owner has permissions to read the underlying table
but the calling user does not have permissions on the view. The view
owner's permissions satisfied the security checks, and the leaky
function would get applied to the underlying table's statistics before
we check the calling user's permissions on the view. This has been
fixed by making security checks on views occur at the start of planning.
That might cause permissions failures to occur earlier than before.
.
The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
(CVE-2025-8713)
.
+ Prevent pg_dump scripts from being used to attack the user running the
restore (Nathan Bossart)
.
Since dump/restore operations typically involve running SQL commands as
superuser, the target database installation must trust the source
server. However, it does not follow that the operating system user who
executes psql to perform the restore should have to trust the source
server. The risk here is that an attacker who has gained
superuser-level control over the source server might be able to cause it
to emit text that would be interpreted as psql meta-commands. That would
provide shell-level access to the restoring user's own account,
independently of access to the target database.
.
To provide a positive guarantee that this can't happen, extend psql with
a \restrict command that prevents execution of further meta-commands,
and teach pg_dump to issue that before any data coming from the source
server.
.
The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and
RyotaK for reporting this problem. (CVE-2025-8714)
.
+ Convert newlines to spaces in names included in comments in pg_dump
output (Noah Misch)
.
Object names containing newlines offered the ability to inject arbitrary
SQL commands into the output script. (Without the preceding fix,
injection of psql meta-commands would also be possible this way.)
CVE-2012-0868 fixed this class of problem at the time, but later work
reintroduced several cases.
.
The PostgreSQL Project thanks Noah Misch for reporting this problem.
(CVE-2025-8715)
.
* Add Turkish debconf translation by Atila KOÇ, thanks! (Closes: #1107984)
* Drop hurd-iovec patch, implemented upstream.
Checksums-Sha1:
3ceb7c397a5e6a28b6dee67a81d94239afb48458 4277 postgresql-17_17.6-0+deb13u1.dsc
9fc28852dc56be1886132e4ae7d64e0f744fdc31 21623975 postgresql-17_17.6.orig.tar.bz2
0afd29414a2bb5d257a12aabc2c305a27037f661 28656 postgresql-17_17.6-0+deb13u1.debian.tar.xz
Checksums-Sha256:
5210a623d9a2a4c68bf2efcbeb38f3357579f8e7a80ddfb9afa30350e294b592 4277 postgresql-17_17.6-0+deb13u1.dsc
e0630a3600aea27511715563259ec2111cd5f4353a4b040e0be827f94cd7a8b0 21623975 postgresql-17_17.6.orig.tar.bz2
670be1c39b4642af68b5a8ccea2cbcb731b31e53d47a0145c7750410084d64b3 28656 postgresql-17_17.6-0+deb13u1.debian.tar.xz
Files:
499bd0e0648dc256dbf239bfca862b98 4277 database optional postgresql-17_17.6-0+deb13u1.dsc
e72b7e5dc22d44d56b113ed1f74e4084 21623975 database optional postgresql-17_17.6.orig.tar.bz2
27bae2dc9e0921f3f537ca4cc9cad8d4 28656 database optional postgresql-17_17.6-0+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmicfoUACgkQTFprqxLS
p66Xqg/9GKlMbejA2tt4dg2Xch009q+jqIFw5o9nzYNoDQPYusEzSgDMNJndllZx
uVAKrpFxtFycNZyLJh7Ek9b4dka7m3a/JgTtLiAnoopvPjLMzuN4ZgnJmFRNXM6w
Y2qTUfnmK8su2XCgpCfU8YMGbcTHtcOXaTqfAOvsnxs0k6xM+p4q85fdavc+kud1
dCqc5rsB7KhFZbuDqYOaBSsexLhxVvEVfVkdGyRHBN0Xa+bS7KhLaAd5SrwclAu8
DDz7BUMkWF9NBoxQ8YryEEqYnRnizTOpaMZhWuPFIE0xAd7WbAzZzk6xH68UpHrw
t9H82Xquu2fxwZYnwKbaHDOg3mJsKo3f/9eOn4AicskYWo0zQuStUecq8uKF3OKd
xUgdqF5Q0gi4CoKVvI1xVkiOh5xG6bXws7ma2ujZq7no+Zd1HyYWW7BTW3CQrbof
KM1bF+/TBfg1I6e1Y47iYiCEP5iqf6JOkqB9zS9VsSaEtuu0PO5neZjfzbQlSXNz
0P2wXHWyhGAexbXYka+sxoyjTE/Af3j5B/3VXDd82fqe2vkWMgHGes+THu3Indau
wIIOKoFddZQui1kTvC6UtjPOIsauSMY2kRfjUW7azIM5Fn8a9aHL7VLYnPzfHcho
bQJ32Maw5ePByT3yjVOlfTf/M59xJ1Bc2eYQhHzs3Rcnw2cyc3E=
=ybv5
-----END PGP SIGNATURE-----
Attachment:
pgpOujlhw03cT.pgp
Description: PGP signature