-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2024 15:06:10 +0100 Source: postgresql-15 Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-15 postgresql-15-dbgsym postgresql-client-15 postgresql-client-15-dbgsym postgresql-plperl-15 postgresql-plperl-15-dbgsym postgresql-plpython3-15 postgresql-plpython3-15-dbgsym postgresql-pltcl-15 postgresql-pltcl-15-dbgsym postgresql-server-dev-15 Architecture: arm64 Version: 15.9-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-05) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 15 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-15 - The World's Most Advanced Open Source Relational Database postgresql-client-15 - front-end programs for PostgreSQL 15 postgresql-plperl-15 - PL/Perl procedural language for PostgreSQL 15 postgresql-plpython3-15 - PL/Python 3 procedural language for PostgreSQL 15 postgresql-pltcl-15 - PL/Tcl procedural language for PostgreSQL 15 postgresql-server-dev-15 - development files for PostgreSQL 15 server-side programming Changes: postgresql-15 (15.9-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 15.9. . + Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) . If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. . The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976) . + Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) . An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. . The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977) . + Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) . The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else. . The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978) . + Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) . The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, trusted PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. . The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979) Checksums-Sha1: 5d75a950c00f6a88cfebfb4e133d72f1dc1fb55e 16500 libecpg-compat3-dbgsym_15.9-0+deb12u1_arm64.deb e67fc89a872d668cffdad38a163ca093d1247ad5 17244 libecpg-compat3_15.9-0+deb12u1_arm64.deb ffc1248ae4c99a6cfd04218efd4b0098648ccde3 273924 libecpg-dev-dbgsym_15.9-0+deb12u1_arm64.deb 3babd78eb59779ddb0e7f07e7d8576d5140bc31f 280528 libecpg-dev_15.9-0+deb12u1_arm64.deb a342d3bdbb8ac96e8ed0526231efe6aed5a12022 113272 libecpg6-dbgsym_15.9-0+deb12u1_arm64.deb ae28e87e234bd492710a5168f698ffebaedcb99f 58968 libecpg6_15.9-0+deb12u1_arm64.deb 99dced2d4dced5de0cc1b177365881c7a319f0e8 87312 libpgtypes3-dbgsym_15.9-0+deb12u1_arm64.deb 0d535f060457e74d70d8c3c794c00b62d8ae878d 42996 libpgtypes3_15.9-0+deb12u1_arm64.deb 66d70484be833d3289d7fbf3b0af6fbb129d5d86 140912 libpq-dev_15.9-0+deb12u1_arm64.deb bb4b07371becae67aa760972aae6d89a59cdf87e 274280 libpq5-dbgsym_15.9-0+deb12u1_arm64.deb a5679083db8208561181a1d74832e53f371536f6 181364 libpq5_15.9-0+deb12u1_arm64.deb a57e8862a60328d46dcad35951311a1afc6faf08 16794136 postgresql-15-dbgsym_15.9-0+deb12u1_arm64.deb c31b5fb5547f14451c7b11fa8c79b1d5f0553aec 16961 postgresql-15_15.9-0+deb12u1_arm64-buildd.buildinfo f2c22cc0163d85021b9607375d576ceb3ec372ca 16358096 postgresql-15_15.9-0+deb12u1_arm64.deb 54467f1d7fcdd1d47254e99065af808682d6d946 2425040 postgresql-client-15-dbgsym_15.9-0+deb12u1_arm64.deb 97ecd4cefd290dfe4a69ef9c5eb351ba079b8b0f 1654364 postgresql-client-15_15.9-0+deb12u1_arm64.deb 4cd11092e9112f05ee0ea465591cd8c8c3ee10ae 183372 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_arm64.deb b4b459792ace1cddbab9b2d73da3a48a364bbee6 87324 postgresql-plperl-15_15.9-0+deb12u1_arm64.deb 401e94efef86c3a61a92542a0553131de4e50d3a 175252 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_arm64.deb 755060b94cd1b2a8b5bb6e25f731b7a1a7bf06cd 107636 postgresql-plpython3-15_15.9-0+deb12u1_arm64.deb f96d21819be7720595e9e37b914003e767f9ed98 79248 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_arm64.deb 13390900b152034c3afc9bd90b5dc54365fe1751 41084 postgresql-pltcl-15_15.9-0+deb12u1_arm64.deb ef15b807c59996d75b1ab2c29508aee486407915 1140852 postgresql-server-dev-15_15.9-0+deb12u1_arm64.deb Checksums-Sha256: 6f3b268baa1715a51dc863dee960addb6d919acc31d68dd5b9cbfd4d0c81872e 16500 libecpg-compat3-dbgsym_15.9-0+deb12u1_arm64.deb c65cc0a6e80da787c52d6c5d9ed9d74e725e5ca1e16f27b30dc45ca499ec20f3 17244 libecpg-compat3_15.9-0+deb12u1_arm64.deb b8f9e9da0766ed65c2ba318224a1a84b7a91d0e44ee5ef9d9829e52182726093 273924 libecpg-dev-dbgsym_15.9-0+deb12u1_arm64.deb 3d9516b8ddc8f1498063ff18f0b1c39cd6e87d14a782b4ec26820cdccaf0990e 280528 libecpg-dev_15.9-0+deb12u1_arm64.deb 3dcc6369cea4ecc40898cadf4e9dc0940c3829f1aba528a1ce7e938d2b5e7ac7 113272 libecpg6-dbgsym_15.9-0+deb12u1_arm64.deb e40541670307d9ab40424ae075f475b5ecdbdd85c3beeb66a213e9284069680b 58968 libecpg6_15.9-0+deb12u1_arm64.deb 9b23c0afa7dba3a7ebacf24feb22b8be20f8ab8ff53e828f0fd55aa2302cf1e8 87312 libpgtypes3-dbgsym_15.9-0+deb12u1_arm64.deb 948d419c24eb1d3fecc44afc0abc7adffc8b6817de96a29a643d07f8adeaf127 42996 libpgtypes3_15.9-0+deb12u1_arm64.deb 1c481142e8eb1cfac77a29366b61f6cd25fd5a6f70825f52191ed4e9c1766358 140912 libpq-dev_15.9-0+deb12u1_arm64.deb 2dbe550f6a9e0f2e89b9090bb5acabc664507c777cfd8c8f8c029e4419e61a9d 274280 libpq5-dbgsym_15.9-0+deb12u1_arm64.deb dab1147ee326a2ce3d4d2b97c41a6f485c6838b473ccab44059a7dcf3d75d9b4 181364 libpq5_15.9-0+deb12u1_arm64.deb 8a0cad351cf7458db26467b1784c02d0cc12086139eb28f9e00db156af2b1d24 16794136 postgresql-15-dbgsym_15.9-0+deb12u1_arm64.deb 1280ce726bcbd4fbcb3aa522905f0759f43f03f34b6c7f5899d89bf91dc85320 16961 postgresql-15_15.9-0+deb12u1_arm64-buildd.buildinfo 4d1c77b5f110fb339187a00387e09d949eabbbe5038fa7c94d123062274525ba 16358096 postgresql-15_15.9-0+deb12u1_arm64.deb 1ff333173a62d598f94df40f870ac528ad483c9d1eeca3f34b71b92cd6fb1b6b 2425040 postgresql-client-15-dbgsym_15.9-0+deb12u1_arm64.deb fad486fa9c593737c09c07a2cf88b67733435776140475daff5341a294b63b0a 1654364 postgresql-client-15_15.9-0+deb12u1_arm64.deb e68e210da4e856911f440957af7721c758af672d7af3abaabb2acb9e27e41ce8 183372 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_arm64.deb 464f89a792e8fce2dbf40cac3a384b142179fd6e6aa69df4d62f53d55014ea09 87324 postgresql-plperl-15_15.9-0+deb12u1_arm64.deb a5ce8a458c3bacef8d7c4e3db50539a7f60bcc036e15d276d110649fedfbcf64 175252 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_arm64.deb 6c4c95ac7403b60e7eafa24ae80450620178f071eeb1b2631dbb48a09eb4b378 107636 postgresql-plpython3-15_15.9-0+deb12u1_arm64.deb 5bd02330694633e4d76824c2e713d3738aaaaf465eef11d8d5f208d5e5ee2e17 79248 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_arm64.deb 3f2d6cf8d6c008f4a10e14530041964e978e1fdff7e63cdfd35cdd91d9506f89 41084 postgresql-pltcl-15_15.9-0+deb12u1_arm64.deb c47061abb9cff2f6b2cb21e88f034641d9bafef095ca17dda04f8b396f84adc2 1140852 postgresql-server-dev-15_15.9-0+deb12u1_arm64.deb Files: e1749a51196dd87ed796e0905d7b981c 16500 debug optional libecpg-compat3-dbgsym_15.9-0+deb12u1_arm64.deb b52c4bd718e81a88e7f4523f2a94892a 17244 libs optional libecpg-compat3_15.9-0+deb12u1_arm64.deb 147d7ed4052701a74a31d9fec3f4bbd0 273924 debug optional libecpg-dev-dbgsym_15.9-0+deb12u1_arm64.deb ee93523a6370fbef1a52d9150dd29aa7 280528 libdevel optional libecpg-dev_15.9-0+deb12u1_arm64.deb 3a0b95dafc592dc5b134fa2432c42bf3 113272 debug optional libecpg6-dbgsym_15.9-0+deb12u1_arm64.deb b70ee58ff1ce610e941a02881367d257 58968 libs optional libecpg6_15.9-0+deb12u1_arm64.deb 1686378b97e58ab03e03358be2ae7b06 87312 debug optional libpgtypes3-dbgsym_15.9-0+deb12u1_arm64.deb 4dd8a4d2e7b6fff3271eef08de3c6736 42996 libs optional libpgtypes3_15.9-0+deb12u1_arm64.deb 43f3c0601253d896c6929d19aa61d3d9 140912 libdevel optional libpq-dev_15.9-0+deb12u1_arm64.deb 74e6fbf3d0159088b744e369386275aa 274280 debug optional libpq5-dbgsym_15.9-0+deb12u1_arm64.deb 9219607149dabbbab645986b0b7a3f80 181364 libs optional libpq5_15.9-0+deb12u1_arm64.deb 044103046ff114a22e48cc9cba996910 16794136 debug optional postgresql-15-dbgsym_15.9-0+deb12u1_arm64.deb ddb71dfca2b0ce8888ad12b5ed1d2887 16961 database optional postgresql-15_15.9-0+deb12u1_arm64-buildd.buildinfo e36cd0fbb807834ec1197f55f37c3620 16358096 database optional postgresql-15_15.9-0+deb12u1_arm64.deb 57702d00c5e4d4e8c26a0aedced87625 2425040 debug optional postgresql-client-15-dbgsym_15.9-0+deb12u1_arm64.deb 3ad17c8640ffb1e99a1eac20a51c1dfc 1654364 database optional postgresql-client-15_15.9-0+deb12u1_arm64.deb 0a2ee5f244dfd50d5560ad64cfc83b1d 183372 debug optional postgresql-plperl-15-dbgsym_15.9-0+deb12u1_arm64.deb fdd737d6f06c90dfa90b05b4e27f0e3c 87324 database optional postgresql-plperl-15_15.9-0+deb12u1_arm64.deb 322b860a0ae76cc03d8b0b31ae9855b9 175252 debug optional postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_arm64.deb a6a802fd76380ff0cb8fb46f8a755277 107636 database optional postgresql-plpython3-15_15.9-0+deb12u1_arm64.deb 36ec8e70eeeac406d62cf6a714437df0 79248 debug optional postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_arm64.deb b612770e2b61773ff9d451187af821df 41084 database optional postgresql-pltcl-15_15.9-0+deb12u1_arm64.deb 066847e4bf2b4273c7925c415ee2d507 1140852 libdevel optional postgresql-server-dev-15_15.9-0+deb12u1_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmbvtGd+QaAE2Bi5fsFgOvjtRcdMFAmczitcACgkQsFgOvjtR cdMt+Q/9FYTqJV5/dMB3yD9ZhtGb+WA1YHVgcHiqZyvwi5qYq4Rx++zyjaH0Lgm7 iuYL0M+5P4Kw3qJPtiVvxqt0oJ+b+G8FFCXF8/4dCjBYOTZDz2YKk0phGRAyuAMK TG4OI6N2OUbbiqkygmIAWRJqPEMkrCLF49Y3pvgHY3oeGa4z9YlaJK79foICGQgm XTLQzei9yplyJR4lq5J3HwY02roDH7Pb3nwnPXBI+UFN27O63AY7AraxgtAde8In 4khPFgW899IjIXH3IT3wXD0Quo4vvTDNO5wklEMe+XCGXQQB03oEsZtjAbjztMUA e4PSaVr4BJla92Hja+LzGwdEEVByjllfIQk2ewqGCspKkYA+Jeh3SSg62pLqhDeT HfF1CHF98qOo7K8nWZBSlZfhT2VSeqqdpFqDFcJlpggKUXh4WIGsdRUKrBC02UXh pU7lMbBRkU89Pk0eBH/Ti07RWm5YhLJYgCdHfTfKNo1izRK7DZ49NcfCdrvsyYEs 5w2CMFwK0hVlVz99PcUu5jwgpYAUshl01lnwlAsFxiGxr0mA4mfMXbiwN24l0zRD RiJ3RuGUto/mFtA9h7XfL0VLq/dJz3HrSC2Y3KVOvyiXRvWAiMUs65RabLz5cQTk G6is2/U6kPLmNu0sPd5WdLCxlENgbWEON+quL5tOxQwnoGGkg70= =4Yjc -----END PGP SIGNATURE-----