Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: postgresql-15@packages.debian.org
Control: affects -1 + src:postgresql-15
Please unblock package postgresql-15.
[ Reason ]
The new version fixes CVE-2023-2454 and CVE-2023-2455.
[ Impact ]
CVE-2023-2454 and CVE-2023-2455.
[ Tests ]
The package passes all the built-in regression tests and the
postgresql-common testsuite.
[ Risks ]
New PostgreSQL upstream releases are generally accepted.
[ Checklist ]
(No changes in debian/ except for the changelog)
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
postgresql-15 (15.3-0+deb12u1) unstable; urgency=medium
* New upstream version.
+ Prevent CREATE SCHEMA from defeating changes in search_path
(Report and fix by Alexander Lakhin, CVE-2023-2454)
Within a CREATE SCHEMA command, objects in the prevailing search_path,
as well as those in the newly-created schema, would be visible even
within a called function or script that attempted to set a secure
search_path. This could allow any user having permission to create a
schema to hijack the privileges of a security definer function or
extension script.
+ Enforce row-level security policies correctly after inlining a
set-returning function (Report by Wolfgang Walther, CVE-2023-2455)
If a set-returning SQL-language function refers to a table having
row-level security policies, and it can be inlined into a calling query,
those RLS policies would not get enforced properly in some cases
involving re-using a cached plan under a different role. This could
allow a user to see or modify rows that should have been invisible.
-- Christoph Berg <myon@debian.org> Tue, 09 May 2023 19:05:02 +0200
unblock postgresql-15/15.3-0+deb12u1
Thanks,
Christoph
Attachment:
signature.asc
Description: PGP signature