[SECURITY] [DLA 4273-1] postgresql-13 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4273-1] postgresql-13 security update
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 14 Aug 2025 10:12:08 -0700
Message-id: <[🔎] 175518964373.292143.8671234191396420494@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4273-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
August 14, 2025                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : postgresql-13
Version        : 13.22-0+deb11u1
CVE IDs        : CVE-2025-8713 CVE-2025-8714 CVE-2025-8715

It was discovered that there were a number of vulnerabilities in
postgresql-13, the widely-popular database management system:

 * CVE-2025-8713: The fix for CVE-2017-7484 (plus followup fixes),
   was intended to prevent leaky functions from being applied to
   statistics data for columns that the calling user does not have
   permission to read. Some gaps in that protection were found and
   addressed.

 * CVE-2025-8714: Prevent pg_dump scripts from being used to attack
   the user running the restore. An attacker who had gained
   superuser-level control over the source server might have been
   able to cause it to emit text that would be interpreted as psql
   meta-commands.

 * CVE-2025-8715: Convert newlines to spaces in names included in
   comments in pg_dump output, because names containing newlines
   offered the ability to inject arbitrary SQL commands into the
   output script.

For Debian 11 bullseye, these problems have been fixed in version
13.22-0+deb11u1. Thanks to Christoph Berg (myon) for preparing this
upload.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmieEYkACgkQHpU+J9Qx
Hlh8pRAAshecswjGfHyiXBlzqBmf4RFCnA1gQhiq/X7gKMQh+yYc2JnSivqIBSXZ
wnO2ARPveVOCEW+ZpenQmEJ7Dv4jbtHvCa49pqwDWf+n1M8l2/zwEokR3i546QdR
KRltjrg4gjHi34YdtkZw86tYeA73+bO9lK89Z7aptxOZs3two9xgxzC6JEDoy0c9
nDQ/5t+cCLZEZySf8nXtEjWXO5aEEjBu4vMfzdiX06V1cxGlVwTyseQjcxcf2deb
ynyfJIjWiXRfX2WXSPlQMeux+EWKGS0E5dyMRTIYIRls7GyxNeG6Bz5W00FQDQkV
9FR+zjLS1m4uzqHpRN69UQyX9KoqlF4tZVp5jj5eCHy7AKPei4dxXKCTIrpU3ybP
FzAXrzm+FqmnlBXsgs+A41OoHbQm4ntf8JIbDrSAsbYK1BW6dSPF5wMewRIWba5u
TWKLbV5I7jjMxsId4ZC0vI8DsyTpFibXlEWq0dkQYMy84XpybC484iYCfCnzxi9u
QcxbYxhu2yx8OY5PoSL0qQ++xGGH4rUmarUHAO0pGYO5i1G2h905TM3JvTAIEhrs
R7RPQk3Gf92chTNpE+hbufHDIUJcVzT6x3/Cd9ZZf7LNMxrVVhYjH9PSvF7Nbkft
M45GQFEm/QotrMdnqUtK56jrQaiq1YKM7H7pHqXo9/PEhhtl9pc=
=B/MQ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4272-1] aide security update
Next by Date: [SECURITY] [DLA 4274-1] mbedtls security update
Previous by thread: [SECURITY] [DLA 4272-1] aide security update
Next by thread: [SECURITY] [DLA 4274-1] mbedtls security update
Index(es):
- Date
- Thread