[ubuntu/noble-security] postgresql-16 16.4-0ubuntu0.24.04.1 (Accepted)
Leonidas S. Barbosa
leo.barbosa at canonical.com
Mon Aug 19 14:51:41 UTC 2024
postgresql-16 (16.4-0ubuntu0.24.04.1) noble-security; urgency=medium
* New upstream version (LP: #2076183).
+ A dump/restore is not required for those running 16.X.
+ However, if you are upgrading from a version earlier than 16.3, see
those release notes as well please.
+ Prevent unauthorized code execution during pg_dump (Masahiko Sawada)
An attacker able to create and drop non-temporary objects could inject
SQL code that would be executed by a concurrent pg_dump session with the
privileges of the role running pg_dump (which is often a superuser).
The attack involves replacing a sequence or similar object with a view
or foreign table that will execute malicious code. To prevent this,
introduce a new server parameter restrict_nonsystem_relation_kind that
can disable expansion of non-builtin views as well as access to foreign
tables, and teach pg_dump to set it when available. Note that the
attack is prevented only if both pg_dump and the server it is dumping
from are new enough to have this fix.
The PostgreSQL Project thanks Noah Misch for reporting this problem.
(CVE-2024-7348)
+ Details about these and many further changes can be found at:
https://www.postgresql.org/docs/16/release-16-4.html.
* d/postgresql-16.NEWS: Update.
Date: 2024-08-13 17:02:09.348783+00:00
Changed-By: Athos Ribeiro <athos.ribeiro at canonical.com>
Signed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/postgresql-16/16.4-0ubuntu0.24.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the noble-changes
mailing list