Accepted postgresql-15 15.4-0+deb12u1 (source) into proposed-updates
- To: debian-changes@lists.debian.org
- Subject: Accepted postgresql-15 15.4-0+deb12u1 (source) into proposed-updates
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Thu, 12 Oct 2023 06:32:32 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: postgresql-15_15.4-0+deb12u1_source.changes
- Debian-source: postgresql-15
- Debian-suite: proposed-updates
- Debian-version: 15.4-0+deb12u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=aVYTEhg7/QXGX/AC75EmBfhTzFOgdJnlJAqCZOf/dSc=; b=GCS0JfCSBcOMjxOSP4xa3ubFlI FasBB6bOgyhEy909WkiTuYOTbpAaQAIroTaCi+3NZWrJYCs6ruBOfGfrK2pqUzw93Mijma6dSN6Ay 4rTVidYSfGeGSdvcYxtpldAmODDSp138oo96RW0sYqQ38qkko4j+xAAreWLWrWtaUGUhF3rBew3Ti MkUyXHhzn+J3mEIjzQkDjXIs5B3ks3FeYBTNFcs2tGlN8M17mWc2wDy5UzIG1haUtrA1IZtBiw+cf 4NFh2dV8ohWtg0/HW+ANuo5bChwrCcDzdaj4Yh+cSs0fgBcETmGx+KbrPgwILGfqtNGvXu+dZWoH+ OqOkF46w==;
- Mail-followup-to: debian-devel@lists.debian.org
- Message-id: <E1qqpFI-002XdN-Oo@fasolo.debian.org>
- Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 01 Oct 2023 21:50:06 +0200
Source: postgresql-15
Architecture: source
Version: 15.4-0+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-15 (15.4-0+deb12u1) bookworm; urgency=medium
.
* New upstream version.
.
+ Disallow substituting a schema or owner name into an extension script if
the name contains a quote, backslash, or dollar sign (Noah Misch)
This restriction guards against SQL-injection hazards for trusted
extensions.
The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim
Carey-Smith, and Christoph Berg for reporting this problem.
(CVE-2023-39417)
.
+ Fix MERGE to enforce row security policies properly (Dean Rasheed)
When MERGE performs an UPDATE action, it should enforce any UPDATE or
SELECT RLS policies defined on the target table, to be consistent with
the way that a plain UPDATE with a WHERE clause works. Instead it was
enforcing INSERT RLS policies for both INSERT and UPDATE actions.
In addition, when MERGE performs a DO NOTHING action, it applied the
target table's DELETE RLS policies to existing rows, even though those
rows are not being deleted. While it's not a security problem, this
could result in unwanted errors.
The PostgreSQL Project thanks Dean Rasheed for reporting this problem.
(CVE-2023-39418)
Checksums-Sha1:
283d957c3c2c32d2ff80f8643c0c876d031d28a4 3919 postgresql-15_15.4-0+deb12u1.dsc
9024e68120af0f033d3331c7f298af5a7b2e2bce 22850355 postgresql-15_15.4.orig.tar.bz2
8eeab041a0468b65e363d56e1871a52f82387a42 24052 postgresql-15_15.4-0+deb12u1.debian.tar.xz
Checksums-Sha256:
a3c9f2258edbc09878698090467593df81f040aaf90bc623a0475b80a2bf3396 3919 postgresql-15_15.4-0+deb12u1.dsc
baec5a4bdc4437336653b6cb5d9ed89be5bd5c0c58b94e0becee0a999e63c8f9 22850355 postgresql-15_15.4.orig.tar.bz2
a3e9a415cdb637e607d50a18603b2611fe80d6a5b3bff12860900a007c60654e 24052 postgresql-15_15.4-0+deb12u1.debian.tar.xz
Files:
969ac369421d54a355b6d93f2c198fb5 3919 database optional postgresql-15_15.4-0+deb12u1.dsc
f2f861fb99d742cb9c2f8aa46a8a947d 22850355 database optional postgresql-15_15.4.orig.tar.bz2
c4fe85144ffd53381d5561c684a85e70 24052 database optional postgresql-15_15.4-0+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmUZz1MACgkQTFprqxLS
p65aMQ/8CKoxgDbtFAT8S2ACve0gOtTQM4pyNjk4Mp4wQyWDgxGXayIps/M8DsTG
Ee6we1B+ZuD/8LrqmbY4/rbyVO0fUjpjLDxzfHmIVLq/5i/Cqc2iGQ55Pad+TPJ+
rK9Wj/syaIDq9b9D7pHNLaQVSuFLqGTCJqBmtfCMG0lMngFtYYRQh9m0TDqPG5ne
SbjCBjBjsBtawkxUP+hJNtV/t3zfA2qDkSOy12YFmPoj9kQVcXh3RsLvXCwhuY/s
IstC8ruZbCBpIM3RF7UbolMURv2TIGm/9ggPwWCxFUReiCIXdKr+vXNomgHNfgt1
maPWyZp6H3v1M3f838PEpkpKcaEEOfNdIT31bnIhkWNoSzzseyc82d8sfl8qXO5B
9QMenLUAXScRM8wEQJuWDPIzrjwRKjcpvrqHtqzLXLCNK6JYoYOjaC/2w3PpEkd3
7T4DNS0bwIsUU01CLlSt/8NofEbHC06ow6rVzKtnFjqStfoBoP+ShmRN3KQDVbOt
JYrAhjkvJudCAEqBVfTgfKyifHpxR9ohPodky9eMox/+2M8s0oYswXcoE0Jkdr7K
THbMkF+d/MbNHBCTw5z+vBqw6EtnyJrOzuaEYzU5K2jJRe9crgtSRLt8PvVFTx62
E+6eFp29S5B0own25bAnwrjL2KYfRHxpXGQoB5eNcg3pej39F28=
=izG4
-----END PGP SIGNATURE-----