-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2024 15:06:10 +0100 Source: postgresql-15 Binary: libecpg-compat3 libecpg-compat3-dbgsym libecpg-dev libecpg-dev-dbgsym libecpg6 libecpg6-dbgsym libpgtypes3 libpgtypes3-dbgsym libpq-dev libpq5 libpq5-dbgsym postgresql-15 postgresql-15-dbgsym postgresql-client-15 postgresql-client-15-dbgsym postgresql-plperl-15 postgresql-plperl-15-dbgsym postgresql-plpython3-15 postgresql-plpython3-15-dbgsym postgresql-pltcl-15 postgresql-pltcl-15-dbgsym postgresql-server-dev-15 Architecture: armel Version: 15.9-0+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-03) Changed-By: Christoph Berg Description: libecpg-compat3 - older version of run-time library for ECPG programs libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg6 - run-time library for ECPG programs libpgtypes3 - shared library libpgtypes for PostgreSQL 15 libpq-dev - header files for libpq5 (PostgreSQL library) libpq5 - PostgreSQL C client library postgresql-15 - The World's Most Advanced Open Source Relational Database postgresql-client-15 - front-end programs for PostgreSQL 15 postgresql-plperl-15 - PL/Perl procedural language for PostgreSQL 15 postgresql-plpython3-15 - PL/Python 3 procedural language for PostgreSQL 15 postgresql-pltcl-15 - PL/Tcl procedural language for PostgreSQL 15 postgresql-server-dev-15 - development files for PostgreSQL 15 server-side programming Changes: postgresql-15 (15.9-0+deb12u1) bookworm-security; urgency=medium . * New upstream version 15.9. . + Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart) . If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. . The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976) . + Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion) . An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. . The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977) . + Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane) . The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role'), it saw none even when it should see something else. . The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978) . + Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch) . The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, trusted PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. . The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979) Checksums-Sha1: 03fc28e17ea76f0d2a75d8e906bcfbd823d2d1a3 16376 libecpg-compat3-dbgsym_15.9-0+deb12u1_armel.deb 85d62cf8eeef5b9ab7b8f424ff871d52598651bb 16280 libecpg-compat3_15.9-0+deb12u1_armel.deb 9c91c1fa60db71114bd904d909a87bf78b5cd5b5 231876 libecpg-dev-dbgsym_15.9-0+deb12u1_armel.deb e3a08c5b23015e37668598ba32b99de7780b8629 272948 libecpg-dev_15.9-0+deb12u1_armel.deb 530f09c9f266559151f0fda7ef29762bf36d0402 110692 libecpg6-dbgsym_15.9-0+deb12u1_armel.deb cfe14ee6e65b8444036cb483d3094c766f30f028 55232 libecpg6_15.9-0+deb12u1_armel.deb de6ee91dec3a69dc17dec2b46194d05a9779ac7b 86564 libpgtypes3-dbgsym_15.9-0+deb12u1_armel.deb c49765f256ae637d49559398ad93d9d078f69055 41780 libpgtypes3_15.9-0+deb12u1_armel.deb e3ae1b3d5446d03d764f6a75c0b4cb249cab643a 133320 libpq-dev_15.9-0+deb12u1_armel.deb 59c8a25b77c76677d24725e7d93d611c1e47e1df 269636 libpq5-dbgsym_15.9-0+deb12u1_armel.deb 2403c2e10e4bc52640e0026e12a2c74032f03161 171112 libpq5_15.9-0+deb12u1_armel.deb cd015016a3838c1f6f3c966af8d2cb767a018708 16108840 postgresql-15-dbgsym_15.9-0+deb12u1_armel.deb bd7d18f4a0ed668f1390c505824a993efe712173 16835 postgresql-15_15.9-0+deb12u1_armel-buildd.buildinfo f8d13d52ea7387fc4d15d117a9f5ae7287325357 16127808 postgresql-15_15.9-0+deb12u1_armel.deb f984c9645d82c378cc21604d2739afdda1c27cf7 2226252 postgresql-client-15-dbgsym_15.9-0+deb12u1_armel.deb a2eb4fa885a0ce533e1b7518768d9b899bb63e2b 1603736 postgresql-client-15_15.9-0+deb12u1_armel.deb 43681e55c924559798cbced60f37f650eca47bf8 181800 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_armel.deb b2d86f983da3eeaa45703e89056a126f0724b2c9 87252 postgresql-plperl-15_15.9-0+deb12u1_armel.deb 442588b300f8f528ac3242abf07829b8a8a26636 171992 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_armel.deb 931178282af6fe786fbf076ff120627e93435019 106168 postgresql-plpython3-15_15.9-0+deb12u1_armel.deb 2873267d2ce5a07004608ce24ca6feb7882a37f0 78044 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_armel.deb 6f0aabdbe30320c68512fd7de2ccfaa1302d05ca 39928 postgresql-pltcl-15_15.9-0+deb12u1_armel.deb 3dd2637f9ee63a5f1d96a2c7040e89e60643574e 1131972 postgresql-server-dev-15_15.9-0+deb12u1_armel.deb Checksums-Sha256: 358dee995de13cbe6bc0b43f124e6167178247f5f07eb6214eb9c13e8d0ed5de 16376 libecpg-compat3-dbgsym_15.9-0+deb12u1_armel.deb a4d7909fd31589bc002d7dfd9754f1e56073fa628735c107f0334dc39477b817 16280 libecpg-compat3_15.9-0+deb12u1_armel.deb 0681b2dd2d04d6b13f8342677f0fb5506b2a807cb2d51348a885c35f3492d211 231876 libecpg-dev-dbgsym_15.9-0+deb12u1_armel.deb 2b269290fe0a3613669f8a1a5b0d49131f010ca3201f6ec45eabbc3387390dd1 272948 libecpg-dev_15.9-0+deb12u1_armel.deb a9d5f6ccfdba4ae9d95c5dd630413266fb9a0305c2436af57af4b3359024a79c 110692 libecpg6-dbgsym_15.9-0+deb12u1_armel.deb 657ea80f05150e1eab7d92cb3aa60d70955891c3d402a823104d0207aeb93031 55232 libecpg6_15.9-0+deb12u1_armel.deb 7952d76b082f5036c86598cfe73b4e817b19fb7525bea6cf84ada5d54b3d50d9 86564 libpgtypes3-dbgsym_15.9-0+deb12u1_armel.deb a33f77ac79a625ca6e0d1f1f364c171e2fb97ffe40311bce1c173c182385290f 41780 libpgtypes3_15.9-0+deb12u1_armel.deb 6e295e58bcce35094f30a842ef05fb53aa06c6c246c39a1c552cb686de33e9d3 133320 libpq-dev_15.9-0+deb12u1_armel.deb 1bbcc230eb5340b547ecc9e6d78fad20858383e7613b751d2b692f9b70c40e36 269636 libpq5-dbgsym_15.9-0+deb12u1_armel.deb d0dde73d67e7160f27db2a2fe18aa954910cb6bab08611c7fd4bcf0649c6f5e2 171112 libpq5_15.9-0+deb12u1_armel.deb a0d0156e25db85d1e6e47fcfaae0966e89d12144e116fd0041399c156527e06d 16108840 postgresql-15-dbgsym_15.9-0+deb12u1_armel.deb b98e42829cecaecb0dc57b3565e84e9457ae8745b1ca261e0e297ce7beb51a3f 16835 postgresql-15_15.9-0+deb12u1_armel-buildd.buildinfo 22f1f0cb44c04cc63ca34a02d5833facaa3e96ba6ee36c07c1a9efb5f6f6892e 16127808 postgresql-15_15.9-0+deb12u1_armel.deb 87e4a88fd4786ab6eadf5fd51f5156ba2aed6eb3ebf5540f5536140df1a9a470 2226252 postgresql-client-15-dbgsym_15.9-0+deb12u1_armel.deb b311b1d080e69365cbff074735007d52020e64d699679955757f135f1b3071b2 1603736 postgresql-client-15_15.9-0+deb12u1_armel.deb 587347414bf920454aef7435eb1b54a21a71eff0111265b15dca70e28af47247 181800 postgresql-plperl-15-dbgsym_15.9-0+deb12u1_armel.deb 229f8c926cd737eaa6dbc8a955bb79e95c70c1a3db7a5a9570c454435df07cad 87252 postgresql-plperl-15_15.9-0+deb12u1_armel.deb 36808d071a5c35d18f39b44050218d470e463ce3dabaaa52c36615dceead311d 171992 postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_armel.deb c021e38decc72285001b51a532152f2cff4825cb283ccd99b67d9a4c3a1689aa 106168 postgresql-plpython3-15_15.9-0+deb12u1_armel.deb 52b414b80110e99015e69c5d28294b78be2ee6137e99f4d79d4c0c2c29fee1f7 78044 postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_armel.deb 5e3b1ee1b7af8d56c30116d2632f837b8662289ce0d2f19698e318271c6bf6cc 39928 postgresql-pltcl-15_15.9-0+deb12u1_armel.deb 29f13645d9e7e5dbbc108a35a4c5bcd83d20d36db26fd091ddc2bd1705e7f279 1131972 postgresql-server-dev-15_15.9-0+deb12u1_armel.deb Files: bd257892e8b6abe703bf106c775a1989 16376 debug optional libecpg-compat3-dbgsym_15.9-0+deb12u1_armel.deb b9c07f136c3517095c647214fa400775 16280 libs optional libecpg-compat3_15.9-0+deb12u1_armel.deb 982a447549d975468b5c6f1a0ee33a93 231876 debug optional libecpg-dev-dbgsym_15.9-0+deb12u1_armel.deb 1482b0f6c2e4995e8dd530f9d49c3fbe 272948 libdevel optional libecpg-dev_15.9-0+deb12u1_armel.deb 75bbd8532034c4992d2bf30ea30089ca 110692 debug optional libecpg6-dbgsym_15.9-0+deb12u1_armel.deb ebfb7634ffbc6696d7b79a29b40fbacc 55232 libs optional libecpg6_15.9-0+deb12u1_armel.deb 9d209f98d3ad9e2c598ee67ba5eb8f07 86564 debug optional libpgtypes3-dbgsym_15.9-0+deb12u1_armel.deb 2a04d84d753b65108c0c5e27a0c1a1b2 41780 libs optional libpgtypes3_15.9-0+deb12u1_armel.deb 3f75a3e5938c0fc4d7b10956ffbde951 133320 libdevel optional libpq-dev_15.9-0+deb12u1_armel.deb fe2d463a903cf0c3b43a368eedce4f14 269636 debug optional libpq5-dbgsym_15.9-0+deb12u1_armel.deb f0dadb6779fea1f0c136da2cf14ec3f4 171112 libs optional libpq5_15.9-0+deb12u1_armel.deb 883ab3005093682ecf181e5e40490edd 16108840 debug optional postgresql-15-dbgsym_15.9-0+deb12u1_armel.deb 961536a6e5b4b3f908902ec00d193071 16835 database optional postgresql-15_15.9-0+deb12u1_armel-buildd.buildinfo 83b4538d9602c843e4016637b4816005 16127808 database optional postgresql-15_15.9-0+deb12u1_armel.deb b0be3988319aed8459065d021b8ba6ce 2226252 debug optional postgresql-client-15-dbgsym_15.9-0+deb12u1_armel.deb 0044e3fd4024102831a20b6523d6454b 1603736 database optional postgresql-client-15_15.9-0+deb12u1_armel.deb c3a6eec1690b89c74151a4cbedff6b60 181800 debug optional postgresql-plperl-15-dbgsym_15.9-0+deb12u1_armel.deb 4122a785fc684d1b31c5f7073219a1da 87252 database optional postgresql-plperl-15_15.9-0+deb12u1_armel.deb d3e93ab1053863407227f54ba736e340 171992 debug optional postgresql-plpython3-15-dbgsym_15.9-0+deb12u1_armel.deb 829ba173c7765ddd6239178261a23a2b 106168 database optional postgresql-plpython3-15_15.9-0+deb12u1_armel.deb 804d88e0a7ae165ac7ede2c4bb078f0e 78044 debug optional postgresql-pltcl-15-dbgsym_15.9-0+deb12u1_armel.deb 5ef1fef66f54ad91c6edb2159f513776 39928 database optional postgresql-pltcl-15_15.9-0+deb12u1_armel.deb 86d1d0d06fdf6e732f8c5df28da99205 1131972 libdevel optional postgresql-server-dev-15_15.9-0+deb12u1_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0+FegZ3qs8CHnZkx+XaKpT5fkBIFAmczkb0ACgkQ+XaKpT5f kBIq3RAAh6RufuPVyt7omHY8BIjl+OOkT29D2BvSAqP/i4kZg1LaZBjTfbp89ZGW rp36nDQ1rifcD9zVizsi9xyKkJ/xb1A7+K7pBBIqJSzhrTxlP3inGqRtpDBjLojh q8JMvy5rJF3EPniqI5UQbSmMH3pLyWO2yiJ29SP2VPOr95DreNAdmnzpS7eJKE0f jR7GPP804jv7wJEJGTgiU4/Q34vDwYmoF1bJRnTnKvCzypyXpJctHRglTpMhYJOY IFOv6HeVSts3T/B4l4dVOtv8wzEGF+mIEi2/dKUaJZ6VE//YXHsF/pfzZ7ecVkoO 7uoJtEdH97BUBLkb6N7Qae9AQNRJPseKb4ntpgi7FUhoEp4h5vUX8Ahary2DCzAR z1dN+PAfh5uVfjR74dnlYSINfA71zElsaCmWN0vJ0fOG3xuTfVcSDGOFgK8Whbgn qwJTVs+v2uCorrstzyE/O9e1xyHZoChVZbz4IqHGvUucAwf4sd3q2ja+ntJ+owue 0K2KdG4jhRsCjl0fsGaSKYpQ5vp/jHZ+Trvojyq8K0mekQTlD8yoCKw0AGNodQve KpdmoqH6hydYMSDw1FQ7+gnsHQoUxI7Kil6QLMPwn/LNWo/BdEmQ4AKNFE953yOT oV/zRKH/A4Pp7oklsDjxWdmiXZAOU5AKx1bevLvISGzQ49FcRC0= =lPsu -----END PGP SIGNATURE-----