Re: Accepted postgresql-11 11.20-0+deb10u1 (source) into oldstable

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Accepted postgresql-11 11.20-0+deb10u1 (source) into oldstable
From: Christoph Berg <myon@debian.org>
Date: Thu, 11 May 2023 18:54:04 +0200
Message-id: <[🔎] ZF0drJbtnJ0prSWV@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <E1px6gc-002U1V-KW@seger.debian.org>
References: <E1px6gc-002U1V-KW@seger.debian.org>

Hi,

I uploaded PostgreSQL 11 to buster. The same DSA for PG 13 went out a
few minutes ago. The PG 15 upload will happen now.

Re: Debian FTP Masters
> Format: 1.8
> Date: Wed, 10 May 2023 21:04:02 +0200
> Source: postgresql-11
> Architecture: source
> Version: 11.20-0+deb10u1
> Distribution: buster-security
> Urgency: medium
> Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
> Changed-By: Christoph Berg <myon@debian.org>
> Changes:
>  postgresql-11 (11.20-0+deb10u1) buster-security; urgency=medium
>  .
>    * New upstream version.
>  .
>      + Prevent CREATE SCHEMA from defeating changes in search_path
>        (Report and fix by Alexander Lakhin, CVE-2023-2454)
>  .
>        Within a CREATE SCHEMA command, objects in the prevailing search_path,
>        as well as those in the newly-created schema, would be visible even
>        within a called function or script that attempted to set a secure
>        search_path.  This could allow any user having permission to create a
>        schema to hijack the privileges of a security definer function or
>        extension script.
>  .
>      + Enforce row-level security policies correctly after inlining a
>        set-returning function (Report by Wolfgang Walther, CVE-2023-2455)
>  .
>        If a set-returning SQL-language function refers to a table having
>        row-level security policies, and it can be inlined into a calling query,
>        those RLS policies would not get enforced properly in some cases
>        involving re-using a cached plan under a different role. This could
>        allow a user to see or modify rows that should have been invisible.
> Checksums-Sha1:
>  da69910501c1b9386e66e267f2615979f0620da8 3745 postgresql-11_11.20-0+deb10u1.dsc
>  c85859feeafd6d9f4bc9dd9064aff0af3345cf1e 20456483 postgresql-11_11.20.orig.tar.bz2
>  3cf48c13c7d57769dee0e12f3300f96b3375a9c2 29104 postgresql-11_11.20-0+deb10u1.debian.tar.xz
> Checksums-Sha256:
>  d5afb436da0171c8d48e59c084104c4addbdf0b39038e952754a6899573821df 3745 postgresql-11_11.20-0+deb10u1.dsc
>  3d7c8882f64a7e98534a044257dfee7abad77a5b7da12508d85d722b98b5acce 20456483 postgresql-11_11.20.orig.tar.bz2
>  b48baa5a6ccd911a907bdcd2bf092bb1eea46dada7d55e153fb2c719115f021b 29104 postgresql-11_11.20-0+deb10u1.debian.tar.xz
> Files:
>  88977508c14f6dfb9af10c6087d07d9c 3745 database optional postgresql-11_11.20-0+deb10u1.dsc
>  05666c76d6c2e0fd6cc3b8e604f9c06d 20456483 database optional postgresql-11_11.20.orig.tar.bz2
>  94ad0d65b55d5856787cfa388fa5916f 29104 database optional postgresql-11_11.20-0+deb10u1.debian.tar.xz
> 
> 

Christoph

Reply to:

Follow-Ups:
- Re: Accepted postgresql-11 11.20-0+deb10u1 (source) into oldstable
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: Re: nvidia-graphics-drivers in DLA needed?
Next by Date: Re: Accepted postgresql-11 11.20-0+deb10u1 (source) into oldstable
Previous by thread: New MariaDB releases in progress
Next by thread: Re: Accepted postgresql-11 11.20-0+deb10u1 (source) into oldstable
Index(es):
- Date
- Thread