Hi,
I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that:
postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium
* New upstream version.
+ Do not let extension scripts replace objects not already belonging to
the extension (Tom Lane) (CVE-2022-2625)
This change prevents extension scripts from doing CREATE OR REPLACE if
there is an existing object that does not belong to the extension. It
also prevents CREATE IF NOT EXISTS in the same situation. This prevents
a form of trojan-horse attack in which a hostile database user could
become the owner of an extension object and then modify it to compromise
future uses of the object by other users. As a side benefit, it also
reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem.
-- Christoph Berg <myon@debian.org> Thu, 11 Aug 2022 14:03:50 +0200