Your message dated Sun, 14 May 2023 18:27:24 +0000 with message-id <E1pyGRI-001GEe-Vy@respighi.debian.org> and subject line unblock postgresql-15 has caused the Debian Bug report #1036006, regarding unblock: postgresql-15/15.3-0+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036006 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: postgresql-15/15.3-0+deb12u1
- From: Christoph Berg <myon@debian.org>
- Date: Fri, 12 May 2023 21:57:12 +0200
- Message-id: <[🔎] ZF6aGGTTog58kxWO@msg.df7cb.de>
- Mail-followup-to: Christoph Berg <myon@debian.org>, Debian Bug Tracking System <submit@bugs.debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: postgresql-15@packages.debian.org Control: affects -1 + src:postgresql-15 Please unblock package postgresql-15. [ Reason ] The new version fixes CVE-2023-2454 and CVE-2023-2455. [ Impact ] CVE-2023-2454 and CVE-2023-2455. [ Tests ] The package passes all the built-in regression tests and the postgresql-common testsuite. [ Risks ] New PostgreSQL upstream releases are generally accepted. [ Checklist ] (No changes in debian/ except for the changelog) [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing postgresql-15 (15.3-0+deb12u1) unstable; urgency=medium * New upstream version. + Prevent CREATE SCHEMA from defeating changes in search_path (Report and fix by Alexander Lakhin, CVE-2023-2454) Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script. + Enforce row-level security policies correctly after inlining a set-returning function (Report by Wolfgang Walther, CVE-2023-2455) If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible. -- Christoph Berg <myon@debian.org> Tue, 09 May 2023 19:05:02 +0200 unblock postgresql-15/15.3-0+deb12u1 Thanks, ChristophAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1036006-done@bugs.debian.org
- Subject: unblock postgresql-15
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Sun, 14 May 2023 18:27:24 +0000
- Message-id: <E1pyGRI-001GEe-Vy@respighi.debian.org>
Unblocked.
--- End Message ---