[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1111076: marked as done (bookworm-pu: package postgresql-15/15.14-0+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1111076,
regarding bookworm-pu: package postgresql-15/15.14-0+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1111076: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111076
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: postgresql-15@packages.debian.org
Control: affects -1 + src:postgresql-15
User: release.debian.org@packages.debian.org
Usertags: pu

New postgresql-15 version with some CVEs that didn't warrant a DSA.

Christoph

diff --git a/debian/changelog b/debian/changelog
index 2a1794b..0d15f12 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,63 @@
+postgresql-15 (15.14-0+deb12u1) bookworm; urgency=medium
+
+  * New upstream version 15.14.
+
+    + Tighten security checks in planner estimation functions (Dean Rasheed)
+
+      The fix for CVE-2017-7484, plus followup fixes, intended to prevent
+      leaky functions from being applied to statistics data for columns that
+      the calling user does not have permission to read.  Two gaps in that
+      protection have been found.  One gap applies to partitioning and
+      inheritance hierarchies where RLS policies on the tables should restrict
+      access to statistics data, but did not.
+
+      The other gap applies to cases where the query accesses a table via a
+      view, and the view owner has permissions to read the underlying table
+      but the calling user does not have permissions on the view. The view
+      owner's permissions satisfied the security checks, and the leaky
+      function would get applied to the underlying table's statistics before
+      we check the calling user's permissions on the view.  This has been
+      fixed by making security checks on views occur at the start of planning.
+      That might cause permissions failures to occur earlier than before.
+
+      The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
+      (CVE-2025-8713)
+
+    + Prevent pg_dump scripts from being used to attack the user running the
+      restore (Nathan Bossart)
+
+      Since dump/restore operations typically involve running SQL commands as
+      superuser, the target database installation must trust the source
+      server.  However, it does not follow that the operating system user who
+      executes psql to perform the restore should have to trust the source
+      server.  The risk here is that an attacker who has gained
+      superuser-level control over the source server might be able to cause it
+      to emit text that would be interpreted as psql meta-commands. That would
+      provide shell-level access to the restoring user's own account,
+      independently of access to the target database.
+
+      To provide a positive guarantee that this can't happen, extend psql with
+      a \restrict command that prevents execution of further meta-commands,
+      and teach pg_dump to issue that before any data coming from the source
+      server.
+
+      The PostgreSQL Project thanks Martin Rakhmanov, Matthieu Denais, and
+      RyotaK for reporting this problem. (CVE-2025-8714)
+
+    + Convert newlines to spaces in names included in comments in pg_dump
+      output (Noah Misch)
+
+      Object names containing newlines offered the ability to inject arbitrary
+      SQL commands into the output script.  (Without the preceding fix,
+      injection of psql meta-commands would also be possible this way.)
+      CVE-2012-0868 fixed this class of problem at the time, but later work
+      reintroduced several cases.
+
+      The PostgreSQL Project thanks Noah Misch for reporting this problem.
+      (CVE-2025-8715)
+
+ -- Christoph Berg <myon@debian.org>  Wed, 13 Aug 2025 20:13:29 +0200
+
 postgresql-15 (15.13-0+deb12u1) bookworm; urgency=medium
 
   * New upstream version 15.13.

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: