-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Jun 2025 15:54:51 +0200
Source: postgresql-17
Architecture: source
Version: 17.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Closes: 1107984
Changes:
postgresql-17 (17.6-1) unstable; urgency=medium
.
* New upstream version 17.6.
.
+ Tighten security checks in planner estimation functions (Dean Rasheed)
.
The fix for CVE-2017-7484, plus followup fixes, intended to prevent
leaky functions from being applied to statistics data for columns that
the calling user does not have permission to read. Two gaps in that
protection have been found. One gap applies to partitioning and
inheritance hierarchies where RLS policies on the tables should restrict
access to statistics data, but did not.
.
The other gap applies to cases where the query accesses a table via a
view, and the view owner has permissions to read the underlying table
but the calling user does not have permissions on the view. The view
owner's permissions satisfied the security checks, and the leaky
function would get applied to the underlying table's statistics before
we check the calling user's permissions on the view. This has been
fixed by making security checks on views occur at the start of planning.
That might cause permissions failures to occur earlier than before.
.
The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
(CVE-2025-8713)
.
+ Prevent pg_dump scripts from being used to attack the user running the
restore (Nathan Bossart)
.
Since dump/restore operations typically involve running SQL commands as
superuser, the target database installation must trust the source
server. However, it does not follow that the operating system user who
executes psql to perform the restore should have to trust the source
server. The risk here is that an attacker who has gained
superuser-level control over the source server might be able to cause it
to emit text that would be interpreted as psql meta-commands. That would
provide shell-level access to the restoring user's own account,
independently of access to the target database.
.
To provide a positive guarantee that this can't happen, extend psql with
a \restrict command that prevents execution of further meta-commands,
and teach pg_dump to issue that before any data coming from the source
server.
.
The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and
RyotaK for reporting this problem. (CVE-2025-8714)
.
+ Convert newlines to spaces in names included in comments in pg_dump
output (Noah Misch)
.
Object names containing newlines offered the ability to inject arbitrary
SQL commands into the output script. (Without the preceding fix,
injection of psql meta-commands would also be possible this way.)
CVE-2012-0868 fixed this class of problem at the time, but later work
reintroduced several cases.
.
The PostgreSQL Project thanks Noah Misch for reporting this problem.
(CVE-2025-8715)
.
* Add Turkish debconf translation by Atila KOÇ, thanks! (Closes: #1107984)
* Drop hurd-iovec patch, implemented upstream.
* Drop obsolete patches: focal-arm64-outline-atomics, jit-s390x.
Checksums-Sha1:
e52a1252a4f64d5c09b2361e79aee00da5c96680 4245 postgresql-17_17.6-1.dsc
9fc28852dc56be1886132e4ae7d64e0f744fdc31 21623975 postgresql-17_17.6.orig.tar.bz2
56899fedcf7504b592e96efbb27e988e34bbb2a7 27072 postgresql-17_17.6-1.debian.tar.xz
Checksums-Sha256:
75f1ad8b1407d08f372d06238cf7a33de6b58058cd9e9111dd0f405784c74958 4245 postgresql-17_17.6-1.dsc
e0630a3600aea27511715563259ec2111cd5f4353a4b040e0be827f94cd7a8b0 21623975 postgresql-17_17.6.orig.tar.bz2
7fb7fecb291aff64c0008ec74085a9d2465fdf25b248bc763d7ad8308a65a0d9 27072 postgresql-17_17.6-1.debian.tar.xz
Files:
d813234bc1a04d86f943c3260b16c8de 4245 database optional postgresql-17_17.6-1.dsc
e72b7e5dc22d44d56b113ed1f74e4084 21623975 database optional postgresql-17_17.6.orig.tar.bz2
5dc0439ce8016b73b85bed17bea295dc 27072 database optional postgresql-17_17.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmid28IACgkQTFprqxLS
p67c6Q/+Ot9tMu+qRs8n1zkEgPJKFb4s0NDtkdqB7kTXdpwMF8c0LeAySBM4gJog
JDuznZ+KxW3pev1hJNgBGWo5yVmmUpWdYQxAekAybjKNLO1tFCLQreo2+9mjd6sh
Hr+HI/ruFShcJLRvW2JvQl51e5YamrPdwPLOoJg/JBVtDOGChEeym5XgmuwIx89N
q2gvqn3s/5K/0qxzRcSf9nrYBOC/bpw1cpdj+YVTN1MD61uMDIqGOj9fQ7hvJuuI
YAPG16dHRF43PNnk10jn08fiVyMo1oyZA8deiVeKxTHdtH1+bC8/UDJG5ha08NU6
xKp+kzgTY0oPTwRG3/se/4l6WPqrgS9ueUJi1e77R4dHuUV5c7gVjgW+juWxyZDy
DhphSW0xywkDM4JRVaUwt0V1ViocJPPBix7wRUvTa6NTVs3MHWJttr7xxl0BgL9J
IvbDqd/Ndei87/p2zzic9iYoU8Q77a6pGP1ysBm4v46eWHgKhYrtjMB61TCGPgVg
ly8z2pdTKb1Nk3MpKP2rIpWWij8cAUpphCauuwvtSRJDzONEX69Wt+zJM7pdtv3+
B/qt/7jyGe48I27fjyDXY1qR8qSPbn+fOMFbX4xOFANos5YRsQCE+5PmpREBTXem
Cu4FwHVGQ1Awf+7OvWZQNFuJlZkv2OlzSpdOpXrkOikjIgWbTU4=
=N4+9
-----END PGP SIGNATURE-----
Attachment:
pgpVkKsl8gAum.pgp
Description: PGP signature