Accepted postgresql-11 11.17-0+deb10u1 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 11 Aug 2022 14:03:50 +0200
Source: postgresql-11
Architecture: source
Version: 11.17-0+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium
.
* New upstream version.
.
+ Do not let extension scripts replace objects not already belonging to
the extension (Tom Lane) (CVE-2022-2625)
.
This change prevents extension scripts from doing CREATE OR REPLACE if
there is an existing object that does not belong to the extension. It
also prevents CREATE IF NOT EXISTS in the same situation. This prevents
a form of trojan-horse attack in which a hostile database user could
become the owner of an extension object and then modify it to compromise
future uses of the object by other users. As a side benefit, it also
reduces the risk of accidentally replacing objects one did not mean to.
.
The PostgreSQL Project thanks Sven Klemm for reporting this problem.
Checksums-Sha1:
3d880e497eca4196052f740963b3741479ff51a7 3745 postgresql-11_11.17-0+deb10u1.dsc
553aff97123c8b48909ab8b49da2e2f141702d7e 20385599 postgresql-11_11.17.orig.tar.bz2
4007541edd871dcfadd8bead6f97bfe88fd92ad5 28484 postgresql-11_11.17-0+deb10u1.debian.tar.xz
Checksums-Sha256:
49d55b7a6e529bf4f7c14c114af2429af8fb1d7656481300e39e892c1668a100 3745 postgresql-11_11.17-0+deb10u1.dsc
6e984963ae0765e61577995103a7e6594db0f0bd01528ac123e0de4a6a4cb4c4 20385599 postgresql-11_11.17.orig.tar.bz2
2e21624784f0991aa3e1b0bd09861848a637a7311938634c70bc8f6743e9fad3 28484 postgresql-11_11.17-0+deb10u1.debian.tar.xz
Files:
ded96875b9d955ebfdd6386989fee783 3745 database optional postgresql-11_11.17-0+deb10u1.dsc
34d2faf0efe356f4d881cea17607479c 20385599 database optional postgresql-11_11.17.orig.tar.bz2
4be3c5516108a5b8ae2e1b60b2ef1235 28484 database optional postgresql-11_11.17-0+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmL08RMACgkQTFprqxLS
p674vA/8Do9me04eC60khdhek5IrHoe3Z7/nq8bRV1CPzDAtOxIrDscbeWL964OJ
Y1ftBgg6EcBSSCmrDAsoqUpiEL9Eq8edcoAFF8NK1FLUFw5dhOocj9Vcyi2B2G5u
jdOWfSyGndFERPPhl/5PnodBtJMGstpKmG/2LIRMQq13l1P85/jIkBod324N7yx9
aF1MQ0EYJqi/sDq+o5lnwFJzIowJCUtc1CFjkxO5Ekim5UTzaBK76xbG/c2QJrmM
Tm1IK978oRXzt39Q9K9NgnwFF8OiiMaqHPy1oGrO+3JEp8EJchMhibNoTIHJl+hR
+Q0azo67dgy0zelGH5Nl013RK8jQS44k/6PBB5PjLAe83GYjJB0rJLNcIS7KYVa+
lGhdSMtiCLSyQ12zmPY0Wo/TueTEu+0TP75LCAi/cf85afj5cVeg8h2h4VtogMn0
CObqmp5gRQgSYDA4tYc0Uh5d013c6CiWUYCPqTP/EvhXlneAYSkhKrhaVhpQ4ur4
GdOyTDV6lMa9Jd5FQjkIrhwZ+RHKPf/M/bODI+yYx42JgC/9bO8P3MwxV7J59FWa
gACM3zJtrVuROL3gDILTmGp5dJ4lhqdaqSKiPhXoIcoVgZUR1BtjZhABAR7Z9Nv1
2IYQ9D5clBz6kXcmsFhV9ZeQMY3IXOj7PE++F4vIh4GNDUkB5FQ=
=9HvI
-----END PGP SIGNATURE-----
Reply to: