-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2024 15:06:10 +0100 Source: postgresql-15 Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-15 postgresql-15-dbgsym postgresql-client-15 postgresql-client-15-dbgsym postgresql-plperl-15 postgresql-plperl-15-dbgsym postgresql-plpython3-15 postgresql-plpython3-15-dbgsym postgresql-pltcl-15 postgresql-pltcl-15-dbgsym postgresql-server-dev-15 Architecture: i386 Version: 15.9-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 15 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-15 - The World's Most Advanced Open Source Relational Database postgresql-client-15 - front-end programs for PostgreSQL 15 postgresql-plperl-15 - PL/Perl procedural language for PostgreSQL 15 postgresql-plpython3-15 - PL/Python 3 procedural language for PostgreSQL 15 postgresql-pltcl-15 - PL/Tcl procedural language for PostgreSQL 15 postgresql-server-dev-15 - development files for PostgreSQL 15 server-side programming Changes: postgresql-15 (15.9-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 15.9. . + Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) . If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. . The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976) . + Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) . An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. . The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977) . + Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) . The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else. . The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978) . + Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) . The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, trusted PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. . The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979) Checksums-Sha1: c455629a8f41bebf0d91b24bf329a1e5736e2388 14408 libecpg-compat3-dbgsym_15.9-0+deb12u1_i386.deb 34453ac29500c0f901694fdd623f9a247f55f140 18004 libecpg-compat3_15.9-0+deb12u1_i386.deb f38cf6471765b74117416d685cf6a75de3d39e85 270160 libecpg-dev-dbgsym_15.9-0+deb12u1_i386.deb b36ed23d99fb395a4e759cf6bb094cdbe572c162 306264 libecpg-dev_15.9-0+deb12u1_i386.deb 0711920a32f9d0948d589872f82f62374d8d085b 101828 libecpg6-dbgsym_15.9-0+deb12u1_i386.deb 988ebaf68b78d6d8867fb3c573bc9f672a59acbe 65668 libecpg6_15.9-0+deb12u1_i386.deb 4051ae1b50847a48839e81c192b4f5c522a98bdb 80796 libpgtypes3-dbgsym_15.9-0+deb12u1_i386.deb 73b57b8b3840d4facd3f0f60e4fbcd333763dbc9 47412 libpgtypes3_15.9-0+deb12u1_i386.deb 1db64aef4000658cf22d2d9162ab60d53ff6cda5 154196 libpq-dev_15.9-0+deb12u1_i386.deb 716295bc6c6f652e82a0a76d5a6e5f43dafb761e 241560 libpq5-dbgsym_15.9-0+deb12u1_i386.deb 86c4581c61680ec0a152e0f5e6e0c39543590c89 198048 libpq5_15.9-0+deb12u1_i386.deb 56e2a8b88b1e7d2c9f823d66d2016ea7089d5db2 15285744 postgresql-15-dbgsym_15.9-0+deb12u1_i386.deb 52a211cffc8369bb4b71df9e466260dd1811dcb7 16864 postgresql-15_15.9-0+deb12u1_i386-buildd.buildinfo 2d9ef1c6dd6811edcb4bf7083e04e502f01e9cad 17047376 postgresql-15_15.9-0+deb12u1_i386.deb fac213153117f2ee343cdd56b4bd595b8ab41291 2060304 postgresql-client-15-dbgsym_15.9-0+deb12u1_i386.deb 4b5c262cff46f71079a3e7b20e876ca5f5df6fc7 1726640 postgresql-client-15_15.9-0+deb12u1_i386.deb 32f3305f3b631076dbacac85097d6ac389f35ccc 173768 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_i386.deb 1fe4de4f79cd86ccd5fba0d3ee4decac5ba31d49 94068 postgresql-plperl-15_15.9-0+deb12u1_i386.deb fbcb73a2a4af8b02e184ec955f548bd540aacc64 163540 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_i386.deb 2c0d0e46edfed9684b9ad625504f3a3b24f94372 114604 postgresql-plpython3-15_15.9-0+deb12u1_i386.deb bcb410084599b6c1b9a3440bcbffb836ba19f16f 74120 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_i386.deb cf0ce8da3270f19638582ff8ae0e8a790a64a019 44152 postgresql-pltcl-15_15.9-0+deb12u1_i386.deb a1bfd7b427e4e21c5ad5e98c24a1dcaa26f6ca50 1161328 postgresql-server-dev-15_15.9-0+deb12u1_i386.deb Checksums-Sha256: 8291d4e2f678a694f1a4114a70dd255600ece6082eca41bc39b5fe01829ff31c 14408 libecpg-compat3-dbgsym_15.9-0+deb12u1_i386.deb 3562c6b105b977ecfc29eb649c20df7aac1ec3076118f4484d436828fcc3766e 18004 libecpg-compat3_15.9-0+deb12u1_i386.deb c139577a27812e96579e4cf80d431019124404fe049aeb7ab6a7fa51c78ced93 270160 libecpg-dev-dbgsym_15.9-0+deb12u1_i386.deb 715433fbbed60b36f0ef004561dd794a4a2df246fc890ab1ef811d63aa49091f 306264 libecpg-dev_15.9-0+deb12u1_i386.deb 83893340d9099ca29680977dd9baee7f3c4c1e7ac6b20096b0a9c3b1261a18e0 101828 libecpg6-dbgsym_15.9-0+deb12u1_i386.deb 01d506c14abf9eb7d09af1b193a7af98262a3b037932a1d98d4fca6178e64785 65668 libecpg6_15.9-0+deb12u1_i386.deb 0d8898c6aad2f81f0ac7bdcc243f390afe294df152e7d3750b1b37d1f9b91a54 80796 libpgtypes3-dbgsym_15.9-0+deb12u1_i386.deb e753d65be1c2a010ff9f17095d229af1f63406695ff0f5608e411a2d3e490071 47412 libpgtypes3_15.9-0+deb12u1_i386.deb 30f48519235bf6dab731585e216b124551e3e6faac0143b2c372fe55ea2d5b8a 154196 libpq-dev_15.9-0+deb12u1_i386.deb aeed89ea68ed2b9284b596cf3487da4fe87aa7b21f7e76287fb115578d6ea224 241560 libpq5-dbgsym_15.9-0+deb12u1_i386.deb 408115970e345b1e6050e2f0f7fe4ab0b751d89cdcd6c93dcf9df1e3b0f9d051 198048 libpq5_15.9-0+deb12u1_i386.deb 87fee137a539b7caaf25c7e784c53fc9f1177482cd5c6bf579c71446024c7b86 15285744 postgresql-15-dbgsym_15.9-0+deb12u1_i386.deb 6a8b806a5f7ad7229033477c2ed76ad220e15d63965d87944004a2d456a73536 16864 postgresql-15_15.9-0+deb12u1_i386-buildd.buildinfo 9dee65ca103a178413507efd4fed58f23dde5ddb145acd12312cff67588b40a7 17047376 postgresql-15_15.9-0+deb12u1_i386.deb ce5cb972e96dd3c20c563096ba6d241e82097431f23f51f88d987f570a5edfd3 2060304 postgresql-client-15-dbgsym_15.9-0+deb12u1_i386.deb 09734ba1a223c0000d09ad3b14c00b27a301d4a39f3d6c6dd8d094a1b624e5d4 1726640 postgresql-client-15_15.9-0+deb12u1_i386.deb 69a7b491d93130dc52e401b2a8c5feb0195df7f30dd14712b30e301b1124d5f6 173768 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_i386.deb 66aa846350a7719783458165671e5e7c186b2bccc3bbebc8f376c599b8ff4726 94068 postgresql-plperl-15_15.9-0+deb12u1_i386.deb 1c45b17f7cbf2f30cf1bb668cc14ff84926a6b459e3499fef5627ef786495fec 163540 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_i386.deb ab9b6987711bf74436d42495daaf5a6c4205e6da56366ddc23e86152853cd00b 114604 postgresql-plpython3-15_15.9-0+deb12u1_i386.deb bdeb2dff73a3dc900ddec354de5e788bb77f6f07c4f5f844b1401993e32a2218 74120 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_i386.deb fa4fcd93544ecba6a7fc975c068312fe91f98b5787d968caa9d5c7ddc7dfa696 44152 postgresql-pltcl-15_15.9-0+deb12u1_i386.deb e70e6d887a58a0e396cff8e441cb3a87070b71a0a43774e4fbe6ab92f6a7d05c 1161328 postgresql-server-dev-15_15.9-0+deb12u1_i386.deb Files: 0d5b08a8ac76e03c0970a447a0244734 14408 debug optional libecpg-compat3-dbgsym_15.9-0+deb12u1_i386.deb bfd5175320e189064aebf9f9c3919f9c 18004 libs optional libecpg-compat3_15.9-0+deb12u1_i386.deb e0e2e12d484b218ed0c60dbebef8df77 270160 debug optional libecpg-dev-dbgsym_15.9-0+deb12u1_i386.deb 103f0deb691d26c57a53cfe0a558438e 306264 libdevel optional libecpg-dev_15.9-0+deb12u1_i386.deb a09582992fb1d13d69b9fb6eadcf2050 101828 debug optional libecpg6-dbgsym_15.9-0+deb12u1_i386.deb 6ecfe6fd2a869c5b91e38b355878f102 65668 libs optional libecpg6_15.9-0+deb12u1_i386.deb 2f7f3a9214c8b10e8903f9aaf5ecb8ec 80796 debug optional libpgtypes3-dbgsym_15.9-0+deb12u1_i386.deb a0d70dfcd3f7f53a0401d55b58e766e1 47412 libs optional libpgtypes3_15.9-0+deb12u1_i386.deb ccc639becbdacc39653d8bf42f712218 154196 libdevel optional libpq-dev_15.9-0+deb12u1_i386.deb 4a917a442b68366eac7b436e685e3235 241560 debug optional libpq5-dbgsym_15.9-0+deb12u1_i386.deb e8df0fda81bcf5e1df2482d6f480a8d7 198048 libs optional libpq5_15.9-0+deb12u1_i386.deb a44b95b61513b4e03cd3f2d984485d74 15285744 debug optional postgresql-15-dbgsym_15.9-0+deb12u1_i386.deb a37f0e24fc29bba7ab7254ee0e90c285 16864 database optional postgresql-15_15.9-0+deb12u1_i386-buildd.buildinfo a085dc1c7014e1421e0d268d84df4069 17047376 database optional postgresql-15_15.9-0+deb12u1_i386.deb 3b458bdbb19dbcff5931d199afcc062b 2060304 debug optional postgresql-client-15-dbgsym_15.9-0+deb12u1_i386.deb 4ae3a5d0d888da0d9db6fdb753c9b467 1726640 database optional postgresql-client-15_15.9-0+deb12u1_i386.deb 6400b9c4607149fca1cbc694b518e3d3 173768 debug optional postgresql-plperl-15-dbgsym_15.9-0+deb12u1_i386.deb 574943e4affcdfc73a60c9270712c2c0 94068 database optional postgresql-plperl-15_15.9-0+deb12u1_i386.deb 0c70825c7d144bc8af66a1e0f86e1788 163540 debug optional postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_i386.deb 29888a4079d8c3eeb1124296c082ad56 114604 database optional postgresql-plpython3-15_15.9-0+deb12u1_i386.deb f4a65019dd45076a6201d8b52d8bfafc 74120 debug optional postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_i386.deb 7a9be88f455562db903b9a1b6a50142f 44152 database optional postgresql-pltcl-15_15.9-0+deb12u1_i386.deb b61746167a0200f945bda8ddde1267f6 1161328 libdevel optional postgresql-server-dev-15_15.9-0+deb12u1_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErEDrIdpJkzFMm6K+PyQET5WCY90FAmczfA8ACgkQPyQET5WC Y91mHA/7BrhU4UQB9pUlOiSPs0Mw1XpcBHh4Cpa7lWXEAe5McEYT+TihbmLaWrz2 31ABFa4i4GJYq9njo6BdibdybKXrU3UhdK8xRZhXrAA9cFKNYjuw65MT6nGaMs9m yHghS1cXfUKqbmkhm1hZobRSh7InkjNhI1c9pMKqS8fSpKmrWYFCv3Ep/mOtDQ9e Kunr2tBtTRDfWIdyJCoqfBMc4QhFyi0BJQwSM5DTPuVgpPGxpF6+xJvibHrc2GFA Xlb08FYN/7h1/HRIA2xnLohUpB17wLD2hlGqLYzAYnMIzvfkPRCr+GRv4vNLijm5 pKp9JzPJh8asHf1PruWWwFZ3Fn1MpJ93gIQSEyI3olsdLLSc2lvYHOp8TK7wnfo7 HZH8JCB0PdIVr5y2WIEgmS4SkfyCz8JKxmBIrK6e8Kpttc4XOPTkuxrKRR/OcXHm Pi87abQCwl73eVTTdrHP5EyCO0MFm2HCXA8cPIAQjavI0zHO/aUBQUzu1IVfJHTq LvkoywV9hxSp3wWJcX1RMLGgS2RIfixeIp2dbKF7d6PDzAFE8jGoNcL7oAD1N+NU VaeOXYdTmXnbhwTl19OgFVJwfh6ek6i+uhk1TFm2F47KZ4Jk3jbnsP5yLhhtmGqd Fk0Tvikk/ULsSsC09AbsUI59mKUwbnuQxAfHg/BRuHuOdIBsb9Q= =f9Dv -----END PGP SIGNATURE-----