Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: postgresql...@packages.debian.org Control: affects -1 + src:postgresql-15
Please unblock package postgresql-15. [ Reason ] The new version fixes CVE-2023-2454 and CVE-2023-2455. [ Impact ] CVE-2023-2454 and CVE-2023-2455. [ Tests ] The package passes all the built-in regression tests and the postgresql-common testsuite. [ Risks ] New PostgreSQL upstream releases are generally accepted. [ Checklist ] (No changes in debian/ except for the changelog) [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing postgresql-15 (15.3-0+deb12u1) unstable; urgency=medium * New upstream version. + Prevent CREATE SCHEMA from defeating changes in search_path (Report and fix by Alexander Lakhin, CVE-2023-2454) Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script. + Enforce row-level security policies correctly after inlining a set-returning function (Report by Wolfgang Walther, CVE-2023-2455) If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible. -- Christoph Berg <m...@debian.org> Tue, 09 May 2023 19:05:02 +0200 unblock postgresql-15/15.3-0+deb12u1 Thanks, Christoph
signature.asc
Description: PGP signature