Re: postgresql-11 11.17-0+deb10u1
Hi Christoph, On 11/08/2022 14:10, Christoph Berg wrote: Hi, I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that: postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium * New upstream version. + Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) (CVE-2022-2625) This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to. The PostgreSQL Project thanks Sven Klemm for reporting this problem. -- Christoph Berg Thu, 11 Aug 2022 14:03:50 +0200 Thanks for the update. I have just sent out the announcement. Cheers, Emilio
postgresql-11 11.17-0+deb10u1
Hi, I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that: postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium * New upstream version. + Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) (CVE-2022-2625) This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to. The PostgreSQL Project thanks Sven Klemm for reporting this problem. -- Christoph Berg Thu, 11 Aug 2022 14:03:50 +0200 Thanks, Christoph
Re: EOL candidates for security-support-ended.deb10 (recap)
On 10/08/2022 17:10, Sylvain Beucler wrote: Hi, On 10/08/2022 11:47, Emilio Pozuelo Monfort wrote: On 09/08/2022 19:04, Sylvain Beucler wrote: Here's a little recap for security-support-ended.deb9 -> deb10 evaluation, following our discussion, also including dropped entries for completeness/transparency: Supported again in buster: - ansible - chromium chromium was already EOL'd in buster by the Security Team: https://lists.debian.org/debian-security-announce/2022/msg00012.html We should keep it unsupported, I'd say. Thanks, it wasn't marked unsupported in security-support-ended.deb10, so I assumed support was still ongoing (I should have perused the latest DSAs). It now is referenced: https://salsa.debian.org/debian/debian-security-support/-/commit/4ae91af1a7f8bd317e6e24ffcf6ed22fbc6cccb8 I see those changes were applied in the master branch. Should they be backported to the buster branch, with an eventual upload / DLA? Cheers, Emilio