-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed,  8 Jul 2026 19:40:41 CEST
Source: pgextwlist
Architecture: source
Version: 1.19-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <[email protected]>
Changed-By: Christoph Berg <[email protected]>
Changes:
 pgextwlist (1.19-1+deb13u1) trixie-security; urgency=medium
 .
   * Reject substituting extension schemas or owners matching ["$'\].
 .
     The extwlist.custom_path script mechanism was vulnerable to SQL
     injection via crafted schema and user names. The same problem was fixed
     in August 2023 in PostgreSQL (cd5f2a3570), and is now fixed in
     pgextwlist as well. Substitutions that attempt to insert any of "$'\ are
     now simply rejected. (We don't try to quote the values as we don't know
     which quoting context we are in.)
 .
     CVE-2023-39417
Checksums-Sha256: 
 ebf7ea470f27ff4b083ee873d9d891c9542f45945802b6a3bfa0f22267ceedd9 2175 
pgextwlist_1.19-1+deb13u1.dsc
 4ef570146b1cdd89c7142322343dca297bf0079cb494bfecbe8a170574c1b115 5544 
pgextwlist_1.19-1+deb13u1.debian.tar.xz
 449cf6a277bcd590b59c151d24ae670e86fd9bde32f30925163e452653f59be4 19593 
pgextwlist_1.19.orig.tar.gz
Checksums-Sha1: 
 fb15e6151d7812ae82a8faa8378f5a4707ad9d0f 2175 pgextwlist_1.19-1+deb13u1.dsc
 1331193ac63a7df91a6ca617710948b1e0f2d5b9 5544 
pgextwlist_1.19-1+deb13u1.debian.tar.xz
 e2c59f4f20911e67185db6d2facc123b09dd5781 19593 pgextwlist_1.19.orig.tar.gz
Files: 
 c63b3d8e413e6d454b0a627579fccccf 2175 database optional 
pgextwlist_1.19-1+deb13u1.dsc
 a8ccafdfeead2bc44508df4f746e672e 5544 database optional 
pgextwlist_1.19-1+deb13u1.debian.tar.xz
 941ad7cd1f9bd64036912dc72b81afc4 19593 database optional 
pgextwlist_1.19.orig.tar.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmpOi6oACgkQTFprqxLS
p66YohAApupTX+MYjhb0IQci1oTNmwdo++mPz7ItaLIB8XEBsrNLmKgy3XBT2LZo
zrHKArBdMlrvIn7wkIRyKJd9nkMhQu/1C8XX8BPKU6rmcEZNgz4N4XQkwxl19KIW
0/QOSFcn+GrsFAen5xSaQBCXY4rlsOgR7GnEKe/GjqJSWhpQD+hNiEta7OKxDlNM
CJwgNLxZ/3A7SPF3w8M5ridWBt4UeBhqEIQgrmQ7zgFuJ+Hgr025CcxTOOpTkeMn
eT11asjH9q+/YRCEiWEJ4vccWKo5PKrCiZIt1qoSlFdamYILK7NV9aBfFyXRucyd
DhL1ZFnr+ivlLI/ikob/ubZxdRzvHz5aUjHjlQRLZSbfddThr7WmWJqZu+ehpjC0
DfanqYVbfZxw3zeGM20h8KUeU5H4dsn90OEO/lokvjGq0WUGl7az8k4Pta6t/L3A
4s9j0OztCSEx4V5fy2CNQEFSgjAGRyFrRaUeAIKHfhuEnnegvq5RFwgGVD/wiVxi
e1k+k63yWL+B9p+LPExcKbthMkcF0d7XTVGeUaRLg3NNm/2oHbRSbBwgxO6zWSSQ
/2RKcdhXMyO/UtI8t/+PbpTNGa6hOg0DjNk6KFu1KTDbgsyyd4lgdcXlxjyePBVj
yE0ifWFYAabp1zztlMwL5N/fS+C0fk01ww6tSFfPm71iEyUDiVc=
=rmTz
-----END PGP SIGNATURE-----

Attachment: pgpdHE7ve2cvI.pgp
Description: PGP signature

Reply via email to