Your message dated Sun, 14 May 2023 18:27:24 +0000
with message-id <[email protected]>
and subject line unblock postgresql-15
has caused the Debian Bug report #1036006,
regarding unblock: postgresql-15/15.3-0+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1036006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036006
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:postgresql-15
Please unblock package postgresql-15.
[ Reason ]
The new version fixes CVE-2023-2454 and CVE-2023-2455.
[ Impact ]
CVE-2023-2454 and CVE-2023-2455.
[ Tests ]
The package passes all the built-in regression tests and the
postgresql-common testsuite.
[ Risks ]
New PostgreSQL upstream releases are generally accepted.
[ Checklist ]
(No changes in debian/ except for the changelog)
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
postgresql-15 (15.3-0+deb12u1) unstable; urgency=medium
* New upstream version.
+ Prevent CREATE SCHEMA from defeating changes in search_path
(Report and fix by Alexander Lakhin, CVE-2023-2454)
Within a CREATE SCHEMA command, objects in the prevailing search_path,
as well as those in the newly-created schema, would be visible even
within a called function or script that attempted to set a secure
search_path. This could allow any user having permission to create a
schema to hijack the privileges of a security definer function or
extension script.
+ Enforce row-level security policies correctly after inlining a
set-returning function (Report by Wolfgang Walther, CVE-2023-2455)
If a set-returning SQL-language function refers to a table having
row-level security policies, and it can be inlined into a calling query,
those RLS policies would not get enforced properly in some cases
involving re-using a cached plan under a different role. This could
allow a user to see or modify rows that should have been invisible.
-- Christoph Berg <[email protected]> Tue, 09 May 2023 19:05:02 +0200
unblock postgresql-15/15.3-0+deb12u1
Thanks,
Christoph
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
