[ubuntu/oracular-proposed] postgresql-16 16.3-1 (Accepted)
Gianfranco Costamagna
costamagnagianfranco at yahoo.it
Tue May 28 09:27:15 UTC 2024
postgresql-16 (16.3-1) unstable; urgency=medium
* New upstream version.
+ Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to
the table owner (Nathan Bossart)
These views failed to hide statistics for expressions that involve
columns the accessing user does not have permission to read. View
columns such as most_common_vals might expose security-relevant data.
The potential interactions here are not fully clear, so in the interest
of erring on the side of safety, make rows in these views visible only
to the owner of the associated table.
The PostgreSQL Project thanks Lukas Fittl for reporting this problem.
(CVE-2024-4317)
By itself, this fix will only fix the behavior in newly initdb'd
database clusters. If you wish to apply this change in an existing
cluster, you will need to do the following:
In each database of the cluster, run the fix-CVE-2024-4317.sql script
as superuser. In psql this would look like
\i /usr/share/postgresql/16/fix-CVE-2024-4317.sql
Any error probably indicates that you've used the wrong script
version. It will not hurt to run the script more than once.
Do not forget to include the template0 and template1 databases, or the
vulnerability will still exist in databases you create later. To fix
template0, you'll need to temporarily make it accept connections. Do
that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo it with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
Date: 2024-05-09 22:33:46.784002+00:00
Signed-By: Gianfranco Costamagna <costamagnagianfranco at yahoo.it>
https://launchpad.net/ubuntu/+source/postgresql-16/16.3-1
-------------- next part --------------
Sorry, changesfile not available.
More information about the oracular-changes
mailing list