postgresql-11 11.17-0+deb10u1

To: Debian LTS <debian-lts@lists.debian.org>
Subject: postgresql-11 11.17-0+deb10u1
From: Christoph Berg <myon@debian.org>
Date: Thu, 11 Aug 2022 14:10:27 +0200
Message-id: <[🔎] YvTxs1Ebgplh51dR@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, Debian LTS <debian-lts@lists.debian.org>

Hi,

I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that:

postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium

  * New upstream version.

    + Do not let extension scripts replace objects not already belonging to
      the extension (Tom Lane) (CVE-2022-2625)

      This change prevents extension scripts from doing CREATE OR REPLACE if
      there is an existing object that does not belong to the extension.  It
      also prevents CREATE IF NOT EXISTS in the same situation.  This prevents
      a form of trojan-horse attack in which a hostile database user could
      become the owner of an extension object and then modify it to compromise
      future uses of the object by other users.  As a side benefit, it also
      reduces the risk of accidentally replacing objects one did not mean to.

      The PostgreSQL Project thanks Sven Klemm for reporting this problem.

 -- Christoph Berg <myon@debian.org>  Thu, 11 Aug 2022 14:03:50 +0200


Thanks,
Christoph

Reply to:

Follow-Ups:
- Re: postgresql-11 11.17-0+deb10u1
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: EOL candidates for security-support-ended.deb10 (recap)
Next by Date: Re: postgresql-11 11.17-0+deb10u1
Previous by thread: Re: gst-plugins-good1.0/1.14.4-1+deb10u2 for DLA
Next by thread: Re: postgresql-11 11.17-0+deb10u1
Index(es):
- Date
- Thread